Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting fields from transactions that have status events

baegoon
Explorer
‎05-09-2017 03:46 AM

I have a couple of transactions I have created for example:

Transaction A: startswith=Begin_Process endswith=Request_Completed
Transaction B: startswith=Begin_Process endswith=Workflow_Error

and So on. However all transactions have a status called User_Info. This event can happen multiple times in a transaction. Thus if I have 12 events for transaction A, 6 of those are User_Info. I want to create a report for every transaction I get the latest User_Info Event and extract out fields such as UserName Manager, Status, Message, Transaction ID from the User_Info Event.

Can anyone provide any guidance?

Also how can I convert the transaction duration to either hours or days?

0 Karma
Reply

baegoon
Explorer
‎05-09-2017 05:30 AM

Yes Ok that's cool however I would like to calculate and report the duration of the transactions. Mabye I can use the stats and last commands as well?

There is not a lot of training material from my 2016 class on the use of streamstats. So I will research this on splunk docs.

0 Karma
Reply

dineshraj9
Builder
‎05-09-2017 04:53 AM

You can avoid transactions and achieve this using streamstats-

<your search> | eval BEGIN_TRAN=if(like(_raw,"%Begin_Process%"),1,0) | streamstats sum(BEGIN_TRAN) as TRAN_ID | search User_Info=* | stats last(User_Info) as Last_User_Info by TRAN_ID
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...