Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find events immediately following/preceding another event?

AjayTakur
Loves-to-Learn Everything
‎04-19-2023 11:27 AM

I have to search for events

I have one event let's say MIT=" step started"
and another event says MIT=" step completed"

Now I have to ensure that both events have been included in my search criteria
in such a way that

Case 1:The first event is started the second event will get completed.

Case 2: If the first event is not started then the second event will also not be complete.
Considering these conditions I need search criteria.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-20-2023 04:29 PM

Never use the "transaction" command for production.  Try this:

index="YourIndexHere" AND sourcetype="YourSourcetypeHere" AND MIT IN("step started", step completed")
| stremstats count(eval(MIT="stepstarted")) AS SessionID BY host ```And maybe other fields here```
| stats min(_time) AS _time range(_time) AS duration dc(MIT) AS MITcount values(MIT) AS MIT BY host ``And maybe other fields here```

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎04-19-2023 12:26 PM

Hi @AjayTakur 

the question is bit confusion, but, nevertheless, basically you need Splunk's transaction command:

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Transaction#Basic_Examples

 

Very basic rough draft SPL:

index=a source=b sourcetype=c 
| transaction MIT startswith=" step started" endswith=" step completed" maxspan=2s

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Tags (1)
0 Karma
Reply

AjayTakur
Loves-to-Learn Everything
‎04-20-2023 10:20 AM

for two different events ie., started and successful the successful might not be an event happening after started then, in this case, is this search criteria correct?


index=a source=b | transaction startswith=MIT="Local Step started." endswith=MIT="Copy step successful." keepevicted=true | search closed_txn=0

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...