Splunk Search

Define a search range by event found (not by time)

dowdag
Engager

I am trying to look for data (from a few different log files) between a pair of Start Event and End Events in one related Log file.
Clearly, this is wrong, but I can not understand how to think as Splunk does- any help here would be appreciated.

[outer:]
start searching from Start Event

index=_* OR index=* 
| eval EventType=case(match("^Tender"),"Start"
| sort 0 _time
| search EventType="Start"

[inner]

index=_* OR index=* 
| transaction TransactionId PaymentId CheckNumber 
| eval duration=round(duration,3)
| table sourcetype _time  TransactionId PaymentId duration Info

Search to you find the End Event

index=_* OR index=*
| eval EventType=case(match(Info, "PrintIntercept\:\:PrintXML finished"),"End")
| sort 0 _time
| search  EventType="End"
0 Karma

dowdag
Engager

Let me try to break down what I am going after:

Step One -

Jun 06, 11:11:22.541100 xxxxxx"Tender,10048 [Active win:, 002B05D4],"OK",(762,579)" --- This Event marks the Start of my search for the following events sequentially between start and end points. ) 

Step Two - Find this multiline string and treat it as One Event from a different log file

2019-05-15 10:08:37,710 ...........  - Enqueuing interaction (end of line)
TransactionInf...... TransactionId=(?<TransactionIdId>.+)end of line)
    CmdInfo=[TerminalId=3, OriginalTerminal=|null|, TableId=3145754, CheckId=3145755, CustomCommand=|null|, ScreenType=NotSet](end of line)
    PaymentInfo=[PaymentId=(?<PaymentId>\d+) ........Reference=, LastCompletionRefID=]](end of line)

2019-05-15 10:08:37,710 -- next event - that marks the end of above event if needed.

Step Three Run this query untill Step 4 - TransactionId PaymentId are referenced from Step 2

| transaction TransactionId PaymentId  
| eval duration=round(duration,3)
| table sourcetype TimeStamp  TransactionId PaymentId duration Info

Step 4 Define End of Search Period

  Jun 06, 11:11:38.492012, ....... "PrintIntercept::PrintXML finished"

Hope that explains what I am trying to accomplish.
Thanks for any suggestions.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@dowdag,

I think must be having some field or fields that is/are helpful to group these events. You can use stats command which will help you to group the events and to apply any operations on those grouped events.

Feel free to ask further questions if you have any.

0 Karma

jnudell_2
Builder

Hi dowdag,

You'll need to provide some more context in order to receive any sort of meaningful responses. Some sample data would help (sanitize it if you need to) a LOT. Even your description is ambiguous:
You're looking for data (from a few different log files) ... In one related log file <--- Which is it? A few different log files, or one log file?
Be as detailed as you can, even over-explaining, and you're more likely to get answers back.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...