How do you search for the string "error" after a p...

jagr · ‎11-12-2015

Hi,

I would like to check for the string "ERROR" after the application is in a stable state.

The application logs the string "Starting server", from this point onwards, I would like to filter for the string "ERROR".

I'm thinking the the search should something like below:

index=app  | transaction startswith="Starting server" | map search=ERROR

Any ideas?

Many thanks

sundareshr · ‎11-12-2015

For transaction command to be effective, it is best to provide some unique identifier that ties events together eg: sessionid, userid, processid, guid etc. This helps transaction command group events more reliably. The startswith and endswith help better define boundary events within the transaction.

In you use case, it would be best to add a "transaction id". Regardless, you could add endswith="ERROR". This may give you what you are looking for.

Ideally you would have something like this

index=app | transaction some_uniqe_id startswith="Server started" endswith="Error" keepevicted=f

or you could have keepevicted=t and filter out where closed_txn=0

Hope this gives you some ideas

How do you search for the string "error" after a particular string appears?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

How do you search for the string "error" after a particular string appears?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers