Splunk Search

How to get latest transactionId ?

karthi2809
Builder

Hi All,

I am trying to get count of enabled and disabled from field. Then i want to show the field values based on latest correlation ID.The currstatus field will run for every 10 min.

"content.currStatus"="*" |stats  values(content.currStatus) as currStatus by latest(correlationId)|where currStatus!="Interface has no entry found in object Store"|stats count by currStatus

 

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You don't need the stats values() line

index="mulesoft" applicationName="scheduler"    message="Upcoming :*" [search index="mulesoft" applicationName="scheduler"  | stats latest(correlationId) as correlationId | table correlationId | format]  |where `content.currStatus`!="Interface has no entry found in object Store"|stats count by `content.currStatus`

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809 ,

if currStatus has values enabled or disabled, please try something like this:

"content.currStatus"="*" content.currStatus!="Interface has no entry found in object Store"
| rename content.currStatus AS currStatus
| stats  
     count(eval(currStatus="enabled"))AS enabled_count
     count(eval(currStatus="disabled"))AS disabled_count
     last(currStatus) AS last_currStatus
     BY correlationId)

In addition one hint: add always the index containing these events: you'll have a faster search and you'll be sure to take events.

Ciao.

Giuseppe

karthi2809
Builder

Just i want to show the latest correlationId and in your query its showing multiple correlationID and i just want show the count of enabled and disabled in pie chart.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

"content.currStatus"="*" [search <your index> | stats latest(correlationId) as correlationId | table correlationId | format] | where currStatus!="Interface has no entry found in object Store"|stats count by currStatus

karthi2809
Builder

Hi @ITWhisperer 

The query which is working but i need total counts of enabled and disabled in the output .Now its showing  1 for enabled and 1for disabled.But the event is getting 79 

 

index="mulesoft" applicationName="scheduler"    message="Upcoming :*" [search index="mulesoft" applicationName="scheduler"  | stats latest(correlationId) as correlationId | table correlationId | format]  |stats   values(content.currStatus) as currStatus by correlationId|where currStatus!="Interface has no entry found in object Store"|stats count by currStatus

There are 79 events in this 74 is enabled and 5 are disabled .The values enabled and disabled from currstatus field.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't need the stats values() line

index="mulesoft" applicationName="scheduler"    message="Upcoming :*" [search index="mulesoft" applicationName="scheduler"  | stats latest(correlationId) as correlationId | table correlationId | format]  |where `content.currStatus`!="Interface has no entry found in object Store"|stats count by `content.currStatus`

karthi2809
Builder

Got it thanks its working and latest correlationId .What time frequency the correlationId change.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Apart from you, who else knows how frequently the correlation id changes?

0 Karma

karthi2809
Builder

Sorry its not working .Sometimes the values coming but sometimes its not showing any values

.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please provide examples of what is working and what is not working otherwise just saying it is not working is not very helpful!

0 Karma

karthi2809
Builder

Hi @ITWhisperer 
First time its coming when i am trying to refresh the same query i am not find any values

 

Query which i am trying:

index="mulesoft" applicationName="scheduler" environment=DEV   message="Upcoming Executions for Scheduler :*"  [search index="mulesoft" applicationName="
scheduler"  | stats latest(correlationId) as correlationId | table correlationId | format] |where content.currStatus!="Interface has no entry found in object Store"|stats count by content.currStatus

If i use the query in seperate search its showing the latest correlation values:
message="Upcoming Executions for Scheduler :*"  environment=DEV | stats  latest(correlationId) as correlationId   | table correlationId

 

 

 

 

0 Karma

karthi2809
Builder

If i remove stats line it will shows 0 events.Not showing any counts

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...