Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for irregularities in the sequence of events?

zhonk
Explorer
‎12-10-2015 06:41 AM

Hi,

I have created a search to get the order of specified Events from hosts.

index=*SC "SPK CONLOC SERVER RECEIVED   R" | transaction host

10.12.2015 12:02:29 SPK CONLOC SERVER RECEIVED R B:B002: 16: 5: 5137: 2926:2:40:9:P:
10.12.2015 12:11:16 SPK CONLOC SERVER RECEIVED R B:ROAD: 1: 1: 6618: 566:1:40:9:D:
10.12.2015 12:19:22 SPK CONLOC SERVER RECEIVED R B:B002: 16: 3: 5137: 2799:2:40:9:P:
10.12.2015 12:25:13 SPK CONLOC SERVER RECEIVED R B: 6587: 410:1:40:2:D:
10.12.2015 12:31:17 SPK CONLOC SERVER RECEIVED R B:A002: 13:15: 5016: 1967:1:40:9:P:
10.12.2015 12:38:11 SPK CONLOC SERVER RECEIVED R B: 6175: 166:1:40:9:D:
10.12.2015 12:43:59 SPK CONLOC SERVER RECEIVED R B:B002: 20: 9: 5298: 3183:1:40:9:P:
10.12.2015 13:16:20 SPK CONLOC SERVER RECEIVED R B: 6130: 445:1:40:9:D:

Normally, the order is the P D P D P D P D. When this happens, everything is ok. We are searching for the sequence when it looks like P P D P D P or P D D P D P .

Best regards,
Axel

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-10-2015 01:07 PM

Try this

...| rex ":(?<irr>[A-Z]):$" | streamstats current=f window=1 first(irr) as pirr | table _raw irr pirr | where irr=pirr

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-10-2015 01:07 PM

Try this

...| rex ":(?<irr>[A-Z]):$" | streamstats current=f window=1 first(irr) as pirr | table _raw irr pirr | where irr=pirr
0 Karma
Reply
Solved! Jump to solution

zhonk
Explorer
‎12-11-2015 12:26 AM

Hi,
thanks about your answer, in combination with transaction the streamstats functions will not work. I add at the streamstats command by host and Splunk made a Filter on Host.I have retype the search and get all I need.

index=*SC "SPK CONLOC SERVER RECEIVED R" | sort host | rex ":(?[A-Z]):$"| streamstats current=f window=1 first(irr) as pirr by host | table _time,host, pirr, irr | where pirr=irr

Best regards
Axel

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-11-2015 05:07 AM

If this answers your question, please mark it as answered so it can be closed. Thanks

0 Karma
Reply
Solved! Jump to solution

zhonk
Explorer
‎12-11-2015 05:13 AM

Is it correct with Accepted Answer? It is my first question.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...