Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extracting fields from transactions that have status events

baegoon
Explorer
‎05-09-2017 03:46 AM

I have a couple of transactions I have created for example:

Transaction A: startswith=Begin_Process endswith=Request_Completed
Transaction B: startswith=Begin_Process endswith=Workflow_Error

and So on. However all transactions have a status called User_Info. This event can happen multiple times in a transaction. Thus if I have 12 events for transaction A, 6 of those are User_Info. I want to create a report for every transaction I get the latest User_Info Event and extract out fields such as UserName Manager, Status, Message, Transaction ID from the User_Info Event.

Can anyone provide any guidance?

Also how can I convert the transaction duration to either hours or days?

0 Karma
Reply

baegoon
Explorer
‎05-09-2017 05:30 AM

Yes Ok that's cool however I would like to calculate and report the duration of the transactions. Mabye I can use the stats and last commands as well?

There is not a lot of training material from my 2016 class on the use of streamstats. So I will research this on splunk docs.

0 Karma
Reply

dineshraj9
Builder
‎05-09-2017 04:53 AM

You can avoid transactions and achieve this using streamstats-

<your search> | eval BEGIN_TRAN=if(like(_raw,"%Begin_Process%"),1,0) | streamstats sum(BEGIN_TRAN) as TRAN_ID | search User_Info=* | stats last(User_Info) as Last_User_Info by TRAN_ID
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...