Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting sessions with missing events

ShagVT
Path Finder
‎04-23-2021 07:54 AM

Hey gang - searching for missing data is probably the weakest part of my Splunk skillset.  I just have a hard time thinking through how to even write such a query. 

I have a transaction that usually goes event_name=A, event_name=B, event_name=C.  But I'm trying to research a situation where B is missing sometimes.  I'd like to be able to build a timechart that shows the number of transactions in which B is missing.   The events in transaction are all linked by a common identifier that we'll call session_id.

I've looked at the transaction command and I suppose I understand that.

index=indexname event_name=A OR event_name=B OR event_name=C | transaction session_id startsWith=A endsWith=C maxspan=10m

But I don't know where to go from here.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-23-2021 08:07 AM

Assuming that session_id is unique across transactions, this will tell you when a transaction with fewer than 3 unique events started and finished

index=indexname event_name=A OR event_name=B OR event_name=C
| stats dc(event_name) as events earliest(_time) as start latest(_time) as end by session_id
| where events < 3

 If you specifically want the check event B, you could 

index=indexname event_name=A OR event_name=B OR event_name=C
| stats values(event_name) as events earliest(_time) as start latest(_time) as end by session_id
| where isnull(mvfind(events,"B"))

View solution in original post

Reply
Solved! Jump to solution

ShagVT
Path Finder
‎04-23-2021 09:42 AM

Your second query here is basically what I was looking for.  To make it work as a timechart I ended up doing this:

 

index=indexname event_name=A OR event_name=B OR event_name=C
| stats values(event_name) as events earliest(_time) as start latest(_time) as end by session_id
| where isnull(mvfind(events,"B"))
| eval _time=start
| timechart count

 

THANK YOU!!!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-23-2021 08:07 AM

Assuming that session_id is unique across transactions, this will tell you when a transaction with fewer than 3 unique events started and finished

index=indexname event_name=A OR event_name=B OR event_name=C
| stats dc(event_name) as events earliest(_time) as start latest(_time) as end by session_id
| where events < 3

 If you specifically want the check event B, you could 

index=indexname event_name=A OR event_name=B OR event_name=C
| stats values(event_name) as events earliest(_time) as start latest(_time) as end by session_id
| where isnull(mvfind(events,"B"))
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...