Splunk Search

Extracting fields from transactions that have status events


I have a couple of transactions I have created for example:

Transaction A: startswith=Begin_Process endswith=Request_Completed
Transaction B: startswith=Begin_Process endswith=Workflow_Error

and So on. However all transactions have a status called User_Info. This event can happen multiple times in a transaction. Thus if I have 12 events for transaction A, 6 of those are User_Info. I want to create a report for every transaction I get the latest User_Info Event and extract out fields such as UserName Manager, Status, Message, Transaction ID from the User_Info Event.

Can anyone provide any guidance?

Also how can I convert the transaction duration to either hours or days?

0 Karma


Yes Ok that's cool however I would like to calculate and report the duration of the transactions. Mabye I can use the stats and last commands as well?

There is not a lot of training material from my 2016 class on the use of streamstats. So I will research this on splunk docs.

0 Karma


You can avoid transactions and achieve this using streamstats-

<your search> | eval BEGIN_TRAN=if(like(_raw,"%Begin_Process%"),1,0) | streamstats sum(BEGIN_TRAN) as TRAN_ID | search User_Info=* | stats last(User_Info) as Last_User_Info by TRAN_ID
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...