Splunk Search
Highlighted

Calrification on transaction command

Hi,

There is a requirement to group the events that startswith"String1" and endswith "String2" as a transaction OR group the events that startswith="String3" and endswith="String4" in the same search query and extract fields.I tried the search query like as follows

index=axr |transaction startwith="String1" endswith="String2" OR transaction startswith="String3" endswith="String4"
But I get error as there is no option to have two startswith and endswith

Is there any way available in splunk to accomplish this requirement? Please advise.The sample logs

20141205::User logged off(String1 of transaction)
.
.
.
.
.
20141206::IBMX_fer:failed to ftp(String3 of transaction)
.
.
.
.
.
20141207 ::No translation(String4 of transaction)
.
.
.
.
.
20141208 ::Processing complete(String2 of transaction)

Tags (1)
0 Karma
Highlighted

Re: Calrification on transaction command

SplunkTrust
SplunkTrust

Hi Jananee_iNautix,

your transaction will not work because of the startswith="" endswith="" OR startswith="" endswith="" options which are supposed to be provided only once.

if your events only have either string1 or string3 and string2 or string4 then you could try something like this:

your base search to get all needed events | eval mystart=coalesce(string1, string3) | eval myend=if(mystart=string1, string2, string4) | transaction startswith=mystart endswith=myend | ...

Some minor updates to the wording and the search command, based on the two comments below 😉

hope this helps ...

cheers, MuS

0 Karma
Highlighted

Re: Calrification on transaction command

Motivator

Hello Mus

In your solution you could end up with start with string 1 and ends with string 4 as a valid transaction. And it seems that string 1 would only ends with string 3 (not 3 or 4)

Regards

Highlighted

Re: Calrification on transaction command

SplunkTrust
SplunkTrust

that's true, but as long as no log examples are provided this is all just if - when - maybe - you - could ... then again one can add another if to check eval myend=if(mystart=string1, string2, string4) ...

0 Karma
Highlighted

Re: Calrification on transaction command

Legend

I don't see anything wrong with the initial search of index=axr

0 Karma
Highlighted

Re: Calrification on transaction command

My requirement is like the transaction should start with "String1" and endwith "String2" strictly and the other transaction should startwith="String3" and endswith="String4" striclty.There should not be other combinations .Can you please suggest any way to do that?

0 Karma
Highlighted

Re: Calrification on transaction command

SplunkTrust
SplunkTrust

If your events only contain either String1 or String3 you can test my search command. it will take either String1 or String3 as startswith and depending on startswith sets either String2 or String4 as endswith

0 Karma
Highlighted

Re: Calrification on transaction command

When worked with the query given by you,the events of transaction involving String3 & String4 doesn't get load.The transaction -String3 &4 is inside the transaction -String1 &2.In such cases,will the query works as expected.I have also uploaded the sample logs in the question.Please take a look at the logs and advise .

0 Karma
Highlighted

Re: Calrification on transaction command

SplunkTrust
SplunkTrust

Okay, this is way you should always provide some sample logs if asking something....it looks like your string1|2|3|4 is not a field. You really mean a string of words. So first thing to do is, to get those words in some field, because the evals I used are all based on fields called string1 or string2 and so on.

Read more about field extraction here http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/Addfieldsatsearchtime
and use the new cretaed field as shown in my example.