Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my search to find how many sessions are missing a certain log entry over time?

Clutchplate
Engager
‎01-28-2016 04:54 PM

I am logging events of my application by session. i.e whenever the app is started, I generate a new SessionId and then generate events. Two of the events generated are "Startup" and "Shutdown". Each event has a StartTime field, too.

I am trying to write a search that will look at all sessions and show me how many sessions did not have a Shutdown entry over time. Essentially letting me see how many crashes I'm getting over time.

I've come close with this:

index=foo source=barDB  | WHERE EventName="Shutdown" OR EventName="Startup" | BUCKET SessionId |STATS count BY SessionID

this gives me a list with a sessionID column and a count column containing either 1 or a 2. I now want to chart the ones that have a 1 over time.

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-28-2016 09:07 PM

Try something similar

index="foo" sourcetype="barDB"|where EventName="Shutdown" OR EventName="StartUp"|stats first(EventName) AS recent_event first(_time) AS _time by  SessionId|search recent_event="StartUp"|timechart count

the bucket (bin) on SessionId might divide that into a range.

Try executing only below part if you want to know the result 

    index="foo" sourcetype="barDB"|where EventName="Shutdown" OR EventName="StartUp"|stats first(EventName) AS recent_event first(_time) AS _time by  SessionId
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

gcato
Contributor
‎01-28-2016 09:13 PM

Hi Clutchplate,

Not quite sure what you mean by chart in your question (a graph or a table). If you are trying to count the still active sessions (count=1) over time then something like the following will work...

index=foo source=barDB  EventName="Shutdown" OR EventName="Startup" 
 | transaction SessionID | where eventcount=1
 | reverse |streamstats count as tally | timechart values(tally) as "count session still active"

Maybe you could clarify what you're trying to visualize.

0 Karma
Reply
Solved! Jump to solution

Clutchplate
Engager
‎01-29-2016 10:12 AM

Yes, active sessions over time is correct. Your search yields completely different results to Renjith's answer below, though. Trying to understand the two approaches....

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-28-2016 09:07 PM

Try something similar

index="foo" sourcetype="barDB"|where EventName="Shutdown" OR EventName="StartUp"|stats first(EventName) AS recent_event first(_time) AS _time by  SessionId|search recent_event="StartUp"|timechart count

the bucket (bin) on SessionId might divide that into a range.

Try executing only below part if you want to know the result 

    index="foo" sourcetype="barDB"|where EventName="Shutdown" OR EventName="StartUp"|stats first(EventName) AS recent_event first(_time) AS _time by  SessionId
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-31-2016 08:46 PM

Did it work for your requirement?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

Clutchplate
Engager
‎02-01-2016 08:57 AM

Yes, this worked great.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...