How to find events immediately following/preceding...

AjayTakur · ‎04-19-2023

I have to search for events

I have one event let's say MIT=" step started"
and another event says MIT=" step completed"

Now I have to ensure that both events have been included in my search criteria
in such a way that

Case 1:The first event is started the second event will get completed.

Case 2: If the first event is not started then the second event will also not be complete.
Considering these conditions I need search criteria.

woodcock · ‎04-20-2023

Never use the "transaction" command for production. Try this:

index="YourIndexHere" AND sourcetype="YourSourcetypeHere" AND MIT IN("step started", step completed")
| stremstats count(eval(MIT="stepstarted")) AS SessionID BY host ```And maybe other fields here```
| stats min(_time) AS _time range(_time) AS duration dc(MIT) AS MITcount values(MIT) AS MIT BY host ``And maybe other fields here```

inventsekar · ‎04-19-2023

Hi @AjayTakur

the question is bit confusion, but, nevertheless, basically you need Splunk's transaction command:

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Transaction#Basic_Examples

Very basic rough draft SPL:

index=a source=b sourcetype=c 
| transaction MIT startswith=" step started" endswith=" step completed" maxspan=2s

AjayTakur · ‎04-20-2023

for two different events ie., started and successful the successful might not be an event happening after started then, in this case, is this search criteria correct?

index=a source=b | transaction startswith=MIT="Local Step started." endswith=MIT="Copy step successful." keepevicted=true | search closed_txn=0

How to find events immediately following/preceding another event?

count

fields

join

lookup

search job inspector

stats

subsearch

table

transaction

tstats

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio