Splunk Search

Help on Transaction command!!

shri_27
Path Finder

Hi All,
I want count of word "ERROR" in the group of events for which i have used transaction command!

my search query is

source="*.log" | transaction startswith="Hydra is starting Control Channel" endswith="completed Setup" 

Now i want to count the no of times the word "ERROR" has occurred between the limits.

sample log
[M2E-CSI]2013-06-11 01:19:40,924 PDT - Hydra is starting Control Channel
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
completed setup

Tags (1)

sideview
SplunkTrust
SplunkTrust

I would use eval to make a numeric field valued at 0 or 1 as appropriate, on the events before transaction. This will then become a multivalued field in the transaction rows, and then you can more easily sum it up. Granted if we're talking a really large number of errors per transaction, then you might hit some multivalued-field limits.

source="*.log" | eval errorCount=if(searchmatch("ERROR"),1,0) | transaction startswith="Hydra is starting Control Channel" endswith="completed Setup" | streamstats count as rowIndex | streamstats sum(errorCount) as totalErrors by rowIndex

shri_27
Path Finder

Thanks for the reply....

0 Karma

sideview
SplunkTrust
SplunkTrust

index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | streamstats count as rowIndex| eventstats sum(errorCount) as totalErrors by rowIndex | stats sum(totalErrors) as totalErrors by source

0 Karma

shri_27
Path Finder

Thanks for the reply ...
If i use by source,i am not getting the count.....

0 Karma

eashwar
Communicator

hello, i was just going through the answer try below
index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | eventstats sum(errorCount) as totalErrors by source

0 Karma

shri_27
Path Finder

Thanks for your reply, i got the correct count.
But i want to display the results in the below format

Source Number of errors
file1 12
file2 25
file3 32
file4 23

This is the search Query
index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | streamstats count as rowIndex| eventstats sum(errorCount) as totalErrors by rowIndex

Please help me..........

0 Karma

sideview
SplunkTrust
SplunkTrust

Oh I think you need to add mvlist=t to your transaction command. By default mvlist is false, meaning it will only preserve a single "1" because it's only preserving distinct values. You might also want to put a fields clause before transaction to narrow down to just the fields you'll need to minimize transaction's work preserving all the other field values if you're not going to use them.
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Transaction

0 Karma

shri_27
Path Finder

Hi sideview,
Thanks for your response! still am getting count of word "ERROR" as 1!!, as we see in sample log we should get count as 9.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...