- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Define a search range by event found (not by time)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Define a search range by event found (not by time)
I am trying to look for data (from a few different log files) between a pair of Start Event and End Events in one related Log file.
Clearly, this is wrong, but I can not understand how to think as Splunk does- any help here would be appreciated.
[outer:]
start searching from Start Event
index=_* OR index=*
| eval EventType=case(match("^Tender"),"Start"
| sort 0 _time
| search EventType="Start"
[inner]
index=_* OR index=*
| transaction TransactionId PaymentId CheckNumber
| eval duration=round(duration,3)
| table sourcetype _time TransactionId PaymentId duration Info
Search to you find the End Event
index=_* OR index=*
| eval EventType=case(match(Info, "PrintIntercept\:\:PrintXML finished"),"End")
| sort 0 _time
| search EventType="End"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me try to break down what I am going after:
Step One -
Jun 06, 11:11:22.541100 xxxxxx"Tender,10048 [Active win:, 002B05D4],"OK",(762,579)" --- This Event marks the Start of my search for the following events sequentially between start and end points. )
Step Two - Find this multiline string and treat it as One Event from a different log file
2019-05-15 10:08:37,710 ........... - Enqueuing interaction (end of line)
TransactionInf...... TransactionId=(?<TransactionIdId>.+)end of line)
CmdInfo=[TerminalId=3, OriginalTerminal=|null|, TableId=3145754, CheckId=3145755, CustomCommand=|null|, ScreenType=NotSet](end of line)
PaymentInfo=[PaymentId=(?<PaymentId>\d+) ........Reference=, LastCompletionRefID=]](end of line)
2019-05-15 10:08:37,710 -- next event - that marks the end of above event if needed.
Step Three Run this query untill Step 4 - TransactionId PaymentId are referenced from Step 2
| transaction TransactionId PaymentId
| eval duration=round(duration,3)
| table sourcetype TimeStamp TransactionId PaymentId duration Info
Step 4 Define End of Search Period
Jun 06, 11:11:38.492012, ....... "PrintIntercept::PrintXML finished"
Hope that explains what I am trying to accomplish.
Thanks for any suggestions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dowdag,
I think must be having some field or fields that is/are helpful to group these events. You can use stats command which will help you to group the events and to apply any operations on those grouped events.
Feel free to ask further questions if you have any.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dowdag,
You'll need to provide some more context in order to receive any sort of meaningful responses. Some sample data would help (sanitize it if you need to) a LOT. Even your description is ambiguous:
You're looking for data (from a few different log files) ... In one related log file <--- Which is it? A few different log files, or one log file?
Be as detailed as you can, even over-explaining, and you're more likely to get answers back.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
