Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find Transaction time with same startswith log string.

sethuk555
Engager
‎07-29-2014 12:41 PM

Hi,

I need to find the transaction time between these 2 statements which has same startswith Log strings(different endswith) and hence its ignoring the first event.

2014-07-04 09:48:00-System Up - Node1 is down
2014-07-04 09:43:00-System Up

How could I find the transaction time between these 2 events.

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎07-29-2014 01:23 PM

My suggestion would be to create a field called message which will store the message after "System Up -", so that it would be blank/null for 2nd event and you can use that as startswith (different in both entries).

something like this

Your base search | rex "System Up\s*-\s*(?<message>.*)$" | transaction startswith="System Up AND NOT message=*" endswith="System Up message=*"
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...