- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to change the order the transaction command pr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone!
I'm trying to use a transaction to group logs that match the following business-logic:
- all triggered actions are queued and processed following the FIFO policy
- sometimes, many actions can be triggered before the first one is even completed
- my logs does not include a common transaction_id that could be use to match the triggering and ACK events
- thereby, I must assume that my first ACK is for the first triggered action, and so on.
My transaction command would looks like:
| transaction unit, option startswith="trigger" endswith="ack"
But it seems that Splunk is associating the first ACK event that match my transaction conditions with the last transaction it has opened. I would expect it to work the opposite way, or at least, I wish I could ask it to do so.
Here is a short data sample:
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
The command mentioned above is returning something like:
2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
When I would expect:
2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
Hope I was clear enough and thank you for your help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about something like this... you should be able to build on it
... | streamstats count as c by action | sort c
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about something like this... you should be able to build on it
... | streamstats count as c by action | sort c
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @sundareshr!
I finally had to add all the fields used in my transaction to the streamstats count to make it work.
For futur record, here is my final query:
| streamstats count AS c by unit, option, action
| sort c
| transaction unit, option, c
startswith="trigger"
endswith="ack"
Thank you 🙂
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
