Solved: Re: Capturing the final value from the final event...

Dark_Ichigo · ‎01-30-2012

I have created a transaction that may contain one or more of these three log level types logLevels i.e. METRIC/INFO/WARN

For Example: Assume that one transaction holds three events, each event has its own logLevel type.

My Question is, How Can I pick up the final LogLevel type for the last event at the end of a Transaction?

bojanz · ‎01-31-2012

It depends if those different LogLevel fields can happen in one transaction multiple times or not.

It gets a bit more tricky if you can have multiple LogLevel fields in one transaction, i.e. like this:

INFO
WARN
INFO
WARN

And you want to know what the last one was. In such cases I usually use the following trick:

mysearch | eval temp1=_time+","+LogLevel | transaction something | eval LastLogLevel=substr(mvindex(temp1,mvcount(temp1)-1),16)

This will create a new field that contains concatenated timestamp and the LogLevel field. One such field will be created for every LogLevel appearance in your transaction so you simply pick the last one with the mvindex command and pull out the value with substr.
There might be a more efficient way to do this too 🙂

View solution in original post

lguinn2 · ‎02-01-2012

As bojanz says, it depends on whether multiple log levels appear in a transaction. It also depends on whether you have used the Splunk transaction command to create the "transaction" that you mention, or if you are referring to the transactions that logically exist in your events.

Using the "transaction" command in Splunk is very cool, but also expensive. So if you don't need the resulting transaction for any other reason, try something like this instead

mysearch | stats latest(logLevel) by transactionId

This will return the latest (in time) logLevel in a transaction. If you have multiple criteria that define a transaction, you could use them all here:

mysearch | stats latest(logLevel) by customerId, sessionId

This would return one logLevel for each combination of customerId and sessionId

The above will return the latest logLevel, whatever it is, regardless of whether there are multiple logLevels in the transaction.

Oh, and if you want to return the last logLevel for each unique logLevel that appears in the transaction, as bojanz did, just add logLevel to the by clause:

mysearch | stats latest(logLevel) by transactionId, logLevel

bojanz · ‎01-31-2012

It depends if those different LogLevel fields can happen in one transaction multiple times or not.

It gets a bit more tricky if you can have multiple LogLevel fields in one transaction, i.e. like this:

INFO
WARN
INFO
WARN

And you want to know what the last one was. In such cases I usually use the following trick:

mysearch | eval temp1=_time+","+LogLevel | transaction something | eval LastLogLevel=substr(mvindex(temp1,mvcount(temp1)-1),16)

This will create a new field that contains concatenated timestamp and the LogLevel field. One such field will be created for every LogLevel appearance in your transaction so you simply pick the last one with the mvindex command and pull out the value with substr.
There might be a more efficient way to do this too 🙂

ifeldshteyn · ‎12-10-2015

Works like a charm. Thanks

Dark_Ichigo · ‎02-09-2012

Bingo!.....Thanks!

Ayn · ‎01-31-2012

You should be able to use stats:

... | stats last(LogLevel) by _time

Capturing the final value from the final event in a transaction?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!