Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find events immediately following/preceding another event?

AjayTakur
Loves-to-Learn Everything
‎04-19-2023 11:27 AM

I have to search for events

I have one event let's say MIT=" step started"
and another event says MIT=" step completed"

Now I have to ensure that both events have been included in my search criteria
in such a way that

Case 1:The first event is started the second event will get completed.

Case 2: If the first event is not started then the second event will also not be complete.
Considering these conditions I need search criteria.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-20-2023 04:29 PM

Never use the "transaction" command for production.  Try this:

index="YourIndexHere" AND sourcetype="YourSourcetypeHere" AND MIT IN("step started", step completed")
| stremstats count(eval(MIT="stepstarted")) AS SessionID BY host ```And maybe other fields here```
| stats min(_time) AS _time range(_time) AS duration dc(MIT) AS MITcount values(MIT) AS MIT BY host ``And maybe other fields here```

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎04-19-2023 12:26 PM

Hi @AjayTakur 

the question is bit confusion, but, nevertheless, basically you need Splunk's transaction command:

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Transaction#Basic_Examples

 

Very basic rough draft SPL:

index=a source=b sourcetype=c 
| transaction MIT startswith=" step started" endswith=" step completed" maxspan=2s

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Tags (1)
0 Karma
Reply

AjayTakur
Loves-to-Learn Everything
‎04-20-2023 10:20 AM

for two different events ie., started and successful the successful might not be an event happening after started then, in this case, is this search criteria correct?


index=a source=b | transaction startswith=MIT="Local Step started." endswith=MIT="Copy step successful." keepevicted=true | search closed_txn=0

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...