Re: Conditional Transaction Search

Wiggy · ‎04-15-2013

Say I have two different logs, source=a.txt and source=b.txt and their format is as follows:

Source=a.txt

09-Apr-2013 00:28:01.204 -06:00 [5492] VVLT-I-0177 Copyright 2012 EVault Inc.
09-Apr-2013 00:28:01.204 -06:00 [5492] VVLT-I-0001 Process: 19500, thread = 5492
09-Apr-2013 05:32:23.857 -06:00 [4152] VVLT-I-0033 elapsed time 05:04:22

Source=b.txt

09-Apr-2013 00:18:01.204 -06:00 [5492] VVLT-I-0177 Copyright 2012 EVault Inc.
09-Apr-2013 00:18:01.204 -06:00 [5492] VVLT-I-0001 Process: 19500, thread = 5493
09-Apr-2013 05:22:23.857 -06:00 [4152] VVLT-I-0033 elapsed time 05:04:22

For that day, is there a way to present the data by 10 minute intervals to show if the process was still running or not? I have attempted to use the transaction command to help in outputting the result, but am not sure if this is the right path to take. An output example would be:

Time | a.txt | b.txt
00:00 | 0 | 0 
00:10 | 0 | 1
00:20 | 1 | 1
00:30 | 1 | 1
.
.
.
05:20 | 1 | 1
05:30 | 1 | 0
05:40 | 1 | 0

Ayn · ‎04-15-2013

Not sure if you really need transaction for this. Wouldn't it be enough to just run timechart and look at whether the count of events for each timeslice is zero or not?

source="a.txt" OR source="b.txt" | timechart span=10m count by source

Conditional Transaction Search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation