How to create transaction based on event data?

joesrepsolc · ‎05-24-2019

So I'm trying to build a transaction based on events I am getting from a log. I'm struggling how to set the transaction command to look for the "jobname" and grab all the events between a "Job started" event and "Job ended" event. this can vary from 2 to 12 unique event logs. So how can I tell Splunk whenever you see a "Job started" in the event, create a transaction including the events all the way up to a "Job ended" event?

|transaction jobname ?????

based on the example, jobname = "JobName ABC" (created with regex)

(event 5)Informational May 24, 2019 2:42:47 PM CDT Transaction "JobName ABC": Job ended
(event 4)....
(event 3)....
(event 2)....
(event 1)Informational May 24, 2019 2:40:17 PM CDT Transaction "JobName ABC": Job started

Thanks for any help. Joe

jnudell_2 · ‎05-24-2019

Try this:
| transaction jobname startswith="Job started" endswith="Job ended"

How to create transaction based on event data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation

How to create transaction based on event data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A