Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting fields from transactions that have status events

baegoon
Explorer
‎05-09-2017 03:46 AM

I have a couple of transactions I have created for example:

Transaction A: startswith=Begin_Process endswith=Request_Completed
Transaction B: startswith=Begin_Process endswith=Workflow_Error

and So on. However all transactions have a status called User_Info. This event can happen multiple times in a transaction. Thus if I have 12 events for transaction A, 6 of those are User_Info. I want to create a report for every transaction I get the latest User_Info Event and extract out fields such as UserName Manager, Status, Message, Transaction ID from the User_Info Event.

Can anyone provide any guidance?

Also how can I convert the transaction duration to either hours or days?

0 Karma
Reply

baegoon
Explorer
‎05-09-2017 05:30 AM

Yes Ok that's cool however I would like to calculate and report the duration of the transactions. Mabye I can use the stats and last commands as well?

There is not a lot of training material from my 2016 class on the use of streamstats. So I will research this on splunk docs.

0 Karma
Reply

dineshraj9
Builder
‎05-09-2017 04:53 AM

You can avoid transactions and achieve this using streamstats-

<your search> | eval BEGIN_TRAN=if(like(_raw,"%Begin_Process%"),1,0) | streamstats sum(BEGIN_TRAN) as TRAN_ID | search User_Info=* | stats last(User_Info) as Last_User_Info by TRAN_ID
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...