Splunk Search

Capturing the final value from the final event in a transaction?

Builder

I have created a transaction that may contain one or more of these three log level types logLevels i.e. METRIC/INFO/WARN

For Example: Assume that one transaction holds three events, each event has its own logLevel type.

My Question is, How Can I pick up the final LogLevel type for the last event at the end of a Transaction?

1 Solution

Communicator

It depends if those different LogLevel fields can happen in one transaction multiple times or not.

It gets a bit more tricky if you can have multiple LogLevel fields in one transaction, i.e. like this:

INFO
WARN
INFO
WARN

And you want to know what the last one was. In such cases I usually use the following trick:

mysearch | eval temp1=_time+","+LogLevel | transaction something | eval LastLogLevel=substr(mvindex(temp1,mvcount(temp1)-1),16)

This will create a new field that contains concatenated timestamp and the LogLevel field. One such field will be created for every LogLevel appearance in your transaction so you simply pick the last one with the mvindex command and pull out the value with substr.
There might be a more efficient way to do this too 🙂

View solution in original post

Legend

As bojanz says, it depends on whether multiple log levels appear in a transaction. It also depends on whether you have used the Splunk transaction command to create the "transaction" that you mention, or if you are referring to the transactions that logically exist in your events.

Using the "transaction" command in Splunk is very cool, but also expensive. So if you don't need the resulting transaction for any other reason, try something like this instead

mysearch | stats latest(logLevel) by transactionId

This will return the latest (in time) logLevel in a transaction. If you have multiple criteria that define a transaction, you could use them all here:

mysearch | stats latest(logLevel) by customerId, sessionId

This would return one logLevel for each combination of customerId and sessionId

The above will return the latest logLevel, whatever it is, regardless of whether there are multiple logLevels in the transaction.

Oh, and if you want to return the last logLevel for each unique logLevel that appears in the transaction, as bojanz did, just add logLevel to the by clause:

mysearch | stats latest(logLevel) by transactionId, logLevel

Communicator

It depends if those different LogLevel fields can happen in one transaction multiple times or not.

It gets a bit more tricky if you can have multiple LogLevel fields in one transaction, i.e. like this:

INFO
WARN
INFO
WARN

And you want to know what the last one was. In such cases I usually use the following trick:

mysearch | eval temp1=_time+","+LogLevel | transaction something | eval LastLogLevel=substr(mvindex(temp1,mvcount(temp1)-1),16)

This will create a new field that contains concatenated timestamp and the LogLevel field. One such field will be created for every LogLevel appearance in your transaction so you simply pick the last one with the mvindex command and pull out the value with substr.
There might be a more efficient way to do this too 🙂

View solution in original post

Path Finder

Works like a charm. Thanks

0 Karma

Builder

Bingo!.....Thanks!

0 Karma

Legend

You should be able to use stats:

... | stats last(LogLevel) by _time
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!