Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for irregularities in the sequence of events?

zhonk
Explorer
‎12-10-2015 06:41 AM

Hi,

I have created a search to get the order of specified Events from hosts.

index=*SC "SPK CONLOC SERVER RECEIVED   R" | transaction host

10.12.2015 12:02:29 SPK CONLOC SERVER RECEIVED R B:B002: 16: 5: 5137: 2926:2:40:9:P:
10.12.2015 12:11:16 SPK CONLOC SERVER RECEIVED R B:ROAD: 1: 1: 6618: 566:1:40:9:D:
10.12.2015 12:19:22 SPK CONLOC SERVER RECEIVED R B:B002: 16: 3: 5137: 2799:2:40:9:P:
10.12.2015 12:25:13 SPK CONLOC SERVER RECEIVED R B: 6587: 410:1:40:2:D:
10.12.2015 12:31:17 SPK CONLOC SERVER RECEIVED R B:A002: 13:15: 5016: 1967:1:40:9:P:
10.12.2015 12:38:11 SPK CONLOC SERVER RECEIVED R B: 6175: 166:1:40:9:D:
10.12.2015 12:43:59 SPK CONLOC SERVER RECEIVED R B:B002: 20: 9: 5298: 3183:1:40:9:P:
10.12.2015 13:16:20 SPK CONLOC SERVER RECEIVED R B: 6130: 445:1:40:9:D:

Normally, the order is the P D P D P D P D. When this happens, everything is ok. We are searching for the sequence when it looks like P P D P D P or P D D P D P .

Best regards,
Axel

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-10-2015 01:07 PM

Try this

...| rex ":(?<irr>[A-Z]):$" | streamstats current=f window=1 first(irr) as pirr | table _raw irr pirr | where irr=pirr

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-10-2015 01:07 PM

Try this

...| rex ":(?<irr>[A-Z]):$" | streamstats current=f window=1 first(irr) as pirr | table _raw irr pirr | where irr=pirr
0 Karma
Reply
Solved! Jump to solution

zhonk
Explorer
‎12-11-2015 12:26 AM

Hi,
thanks about your answer, in combination with transaction the streamstats functions will not work. I add at the streamstats command by host and Splunk made a Filter on Host.I have retype the search and get all I need.

index=*SC "SPK CONLOC SERVER RECEIVED R" | sort host | rex ":(?[A-Z]):$"| streamstats current=f window=1 first(irr) as pirr by host | table _time,host, pirr, irr | where pirr=irr

Best regards
Axel

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-11-2015 05:07 AM

If this answers your question, please mark it as answered so it can be closed. Thanks

0 Karma
Reply
Solved! Jump to solution

zhonk
Explorer
‎12-11-2015 05:13 AM

Is it correct with Accepted Answer? It is my first question.

0 Karma
Reply
Get Updates on the Splunk Community!

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...