Splunk Search

Extracting fields from transactions that have status events


I have a couple of transactions I have created for example:

Transaction A: startswith=Begin_Process endswith=Request_Completed
Transaction B: startswith=Begin_Process endswith=Workflow_Error

and So on. However all transactions have a status called User_Info. This event can happen multiple times in a transaction. Thus if I have 12 events for transaction A, 6 of those are User_Info. I want to create a report for every transaction I get the latest User_Info Event and extract out fields such as UserName Manager, Status, Message, Transaction ID from the User_Info Event.

Can anyone provide any guidance?

Also how can I convert the transaction duration to either hours or days?

0 Karma


Yes Ok that's cool however I would like to calculate and report the duration of the transactions. Mabye I can use the stats and last commands as well?

There is not a lot of training material from my 2016 class on the use of streamstats. So I will research this on splunk docs.

0 Karma


You can avoid transactions and achieve this using streamstats-

<your search> | eval BEGIN_TRAN=if(like(_raw,"%Begin_Process%"),1,0) | streamstats sum(BEGIN_TRAN) as TRAN_ID | search User_Info=* | stats last(User_Info) as Last_User_Info by TRAN_ID
0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...