Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Advanced search question, match logs entries against other entries by string, show diff?

darrel343
Engager
‎05-14-2015 10:19 AM

My log entries look like this:

DATE: order=8 status=processed
-many entries in between-
DATE: order=8 status=completed

Is there some way I can get a count of instances where "order=X processed" is found but where "order=X completed" is not found? I'm pretty new to splunk queries, and have been reading up, but this is kind of specific and I'm not even sure if it's possible, so I thought I would ask.

Also, I can control the log files, so if there is a different way of separating fields or a way of logging that would make this easier, please let me know.

0 Karma
Reply

chimell
Motivator
‎05-15-2015 03:43 PM

Hi darrel343
Try this search code i think it will help

  .......... status="processed" AND status!="completed"  |stats count by order |table count
0 Karma
Reply

wpreston
Motivator
‎05-14-2015 11:00 AM

Like @bmcias84 said, transaction is the way to go. You'll want to include the keepevicted flag with it. Transaction will automatically add a field called closed_txn that tells you whether the transaction is complete or incomplete. Use this field in conjunction with stats to get the information you need. something like this:

your main search | transaction order startswith="status=processed" endswith="status=completed" keepevicted=t | stats count(eval(closed_txn="0")) as "Complete_Order_Transaction" count(eval(closed_txn="1" AND status="processed")) as "Order_Processed_But_No_Completion" count(eval(closed_txn="1" AND status="completed")) as "Order_Completed_But_Not_Processed"
Reply

darrel343
Engager
‎05-15-2015 11:03 AM

This answer was the most helpful in showing me how to make the transaction feature work, thanks.

0 Karma
Reply

lguinn2
Legend
‎05-14-2015 10:42 AM

This should work

yoursearchhere status=processed status=completed
| stats count(eval(status="processed")) as processed count(eval(status="completed")) as completed by order
| where processed >= 1 and completed < 1

Or you could use transaction as suggested, but it will be less efficient

yoursearchhere status=processed status=completed
| transaction order
| where eventcount < 2
Reply

aweitzman
Motivator
‎05-14-2015 10:39 AM

One of the more efficient ways to do this is to gather your statuses for each order into a multivalued field and then filter your results by its contents:

...your search... 
| stats values(status) as statusvalues by order
| where statusvalues="processed" AND statusvalues!="completed" 
| table order

Splunk is nice that you can check any value of of a multivalued field using the = operator.

Reply

bmacias84
Champion
‎05-14-2015 10:34 AM

You do transaction on order id. then find where order don't contain completed. probably the simplest.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...