Solved: Re: How to join 2 results and use transaction to d...

edookati · ‎11-14-2014

in weblogic access log, i need to join 2 results and use transaction to display the calls within 3s timespan, but this doesn't work.
Can you please help me?

index=olb_logs sourcetype="access-API" URL="/bankapi/session" method=POST | join sessionID [Search URL="/bankapi/accounts" method=GET] | transaction sessionID maxspan=3s

somesoni2 · ‎11-14-2014

Try this

index=olb_logs sourcetype="access-API" (URL="/bankapi/session" method=POST ) OR (URL="/bankapi/accounts" method=GET) | transaction sessionID maxspan=3s

View solution in original post

somesoni2 · ‎11-14-2014

Try this

index=olb_logs sourcetype="access-API" (URL="/bankapi/session" method=POST ) OR (URL="/bankapi/accounts" method=GET) | transaction sessionID maxspan=3s

somesoni2 · ‎11-14-2014

Try adding maxevents=2 in the transaction command.

edookati · ‎11-14-2014

Sorry, it is still giving me the same URLs in one transaction.

edookati · ‎11-14-2014

Thanks. this really helped. But, I am seeing same URLs in one transaction for most of the results and I want to display transaction results only if the URLs are different like the one below

2014-11-13 22:59:49 0.357 3152 2b76f0999150450e9b4a8c95e805ba41 - XXXXXX 00.00.00.00 00.00.00.00 00.00.00.00 00.00.00.00 GET /bankapi/ABCD 200 isExternal
2014-11-13 22:59:52 0.301 3152 2b76f0999150450e9b4a8c95e805ba41 - XXXXXX 00.00.00.00 00.00.00.00 00.00.00.00 00.00.00.00 GET /bankapi/EFGH 200 isExternal

How to join 2 results and use transaction to display calls within a 3 second timespan for weblogic access logs?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!