Calrification on transaction command

Jananee_iNautix · ‎05-09-2014

Hi,

There is a requirement to group the events that startswith"String1" and endswith "String2" as a transaction OR group the events that startswith="String3" and endswith="String4" in the same search query and extract fields.I tried the search query like as follows

index=axr |transaction startwith="String1" endswith="String2" OR transaction startswith="String3" endswith="String4"
But I get error as there is no option to have two startswith and endswith

Is there any way available in splunk to accomplish this requirement? Please advise.The sample logs

20141205::User logged off(String1 of transaction)
.
.
.
.
.
20141206::IBMX_fer:failed to ftp(String3 of transaction)
.
.
.
.
.
20141207 ::No translation(String4 of transaction)
.
.
.
.
.
20141208 ::Processing complete(String2 of transaction)

MuS · ‎05-09-2014

Hi Jananee_iNautix,

your transaction will not work because of the startswith="" endswith="" OR startswith="" endswith="" options which are supposed to be provided only once.

if your events only have either string1 or string3 and string2 or string4 then you could try something like this:

your base search to get all needed events | eval mystart=coalesce(string1, string3) | eval myend=if(mystart=string1, string2, string4) | transaction startswith=mystart endswith=myend | ...

Some minor updates to the wording and the search command, based on the two comments below 😉

hope this helps ...

cheers, MuS

MuS · ‎05-13-2014

Okay, this is way you should always provide some sample logs if asking something....it looks like your string1|2|3|4 is not a field. You really mean a string of words. So first thing to do is, to get those words in some field, because the evals I used are all based on fields called string1 or string2 and so on.

Read more about field extraction here http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/Addfieldsatsearchtime
and use the new cretaed field as shown in my example.

Jananee_iNautix · ‎05-13-2014

When worked with the query given by you,the events of transaction involving String3 & String4 doesn't get load.The transaction -String3 &4 is inside the transaction -String1 &2.In such cases,will the query works as expected.I have also uploaded the sample logs in the question.Please take a look at the logs and advise .

MuS · ‎05-11-2014

If your events only contain either String1 or String3 you can test my search command. it will take either String1 or String3 as startswith and depending on startswith sets either String2 or String4 as endswith

Jananee_iNautix · ‎05-11-2014

My requirement is like the transaction should start with "String1" and endwith "String2" strictly and the other transaction should startwith="String3" and endswith="String4" striclty.There should not be other combinations .Can you please suggest any way to do that?

lguinn2 · ‎05-09-2014

I don't see anything wrong with the initial search of index=axr

MuS · ‎05-09-2014

that's true, but as long as no log examples are provided this is all just if - when - maybe - you - could ... then again one can add another if to check eval myend=if(mystart=string1, string2, string4) ...

gfuente · ‎05-09-2014

Hello Mus

In your solution you could end up with start with string 1 and ends with string 4 as a valid transaction. And it seems that string 1 would only ends with string 3 (not 3 or 4)

Regards

Calrification on transaction command

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout