Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Comparing two consecutive events

Parse
New Member
‎09-09-2016 03:59 AM

Hello all,

I am trying to evaluate my process using two consecutive events and know whether my process succeeded or failed. My log is set up as below:
1. When process is started, I get - #Timestamp# Started MyProcess
2. When process is completed successfully, I get - #Timestamp# Completed MyProcess
3. If it fails, I get - #Timestamp# Terminated MyProcess

The process usually takes a minute or so. I would like to query and find out whether the process has succeeded or failed and also, how long it took. For the immediate (my process runs many times in a day and so I need to compare only the immediate/ consecutive entries) combination of Started and Completed, the status should be success, whereas for Started and Terminated, the status should be Failed.

My base query is like:
index=myIndex sourcetype = applogs "Started MyProcess " Or "Completed MyProcess" Or "Terminated MyProcess"

Any help would be highly appreciated! Thanks much!

Cheers!

PS

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎09-09-2016 05:42 AM

I'm assuming you have the name of the process extracted into a process field, and that there are no overlapping instances of any one process.

  index=myIndex sourcetype=applogs process=* (Started OR Completed OR Terminated)
| transaction process startswith=Started endswith=(Completed OR Terminated)

Mild disclaimer: Didn't test if the endswith condition is correct syntax, see http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Transaction to make it work for your specific events.

That will stitch together the start and end events, and give you a duration field per process run. By examining the events for "Completed" or "Terminated" you can tell if the run was successful or not.

If the assumption of "no overlapping runs" does not hold you need unique IDs to link each start and end event together, and run the transaction command on that ID field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...