Splunk Search
Highlighted

How to search for all events for a transaction if there is no unique ID?

Explorer

Hi everybody ...
i have these kind of logs in my environment. every transaction has these 4 log messages but there is no unique id for every transaction. simply it's generating this kind of message, but there is no information to correlate this information for 1 particular transaction. but i need to find the INFORMATION whatever in between inbound and outbound. can anyone help me in that?

Thanks in advance.![alt text][1]

0 Karma
Highlighted

Re: How to search for all events for a transaction if there is no unique ID?

SplunkTrust
SplunkTrust

Can there be more that one transactions going one at the same time?

0 Karma
Highlighted

Re: How to search for all events for a transaction if there is no unique ID?

Explorer

No for each transaction their is diff of some milliseconds.

0 Karma
Highlighted

Re: How to search for all events for a transaction if there is no unique ID?

SplunkTrust
SplunkTrust

Give this a try. This should group relevant transaction events together.

Your base search | eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield

If you're looking for specific output, please provide a sample/details of that.

View solution in original post

Highlighted

Re: How to search for all events for a transaction if there is no unique ID?

Explorer

index=ccsptestwas source="/usr/WASLogs700/cdhpwsuat*/cdhpws/logs/application.log" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse"
AND "Outbound Message" OR "Inbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode"
OR "provZipCode assigned to zipCode" OR "bnftAgrmtNbr" |rex "(?Inbound|Outbound)" |eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield | rex "ID:(?.
)"
|rex "(?m)(?.)"|rex "(?m)(?.)"|rex "(?m)(?.)"|rex "(?.)" |rex "(?.)"|rex "(?.)" | rex "(?.)" | rex "(?.)" |rex "(?.)" |rex "(?.)"|rex "(?.)"| rex "(?.)"|rex "(?.)" |rex "provZipCode assigned to zipCode:(?.)"| rex "memZipCode assigned to zipCode:(?.*)"|stats max(time) as startTime,min(time) as endTime,values(info) as Info,values(ResponseTime) as responseTime,values(StatusCode) as StatusCode,values(message) as StatusMessage,values(CorpEntCd) as corpEntCd,values(costlvlpctl) as Costlvlpctl,values(CptCode) as cptCode,values(GroupNbr) as GroupNbr,values(MemZipCode) as memZipCode,values(procdchrgamt) as ProcChrgamt,values(ProvZipCode) as ProvZipCode,values(SectionNbr) as SectionNbr,values(ServiceDate) as ServiceDate,values(tretcatcd) as TretCatCd,values(tretcatname) as TretCatName,values(bnftAgrmtNbr) as bnftAgrmtNbr,values(acctNbr) as acctNbr,values(provassignZip) as provassignZip,values(memzipassignzip) as memzipassignzip by id,source
|eval responseTime=startTime-endTime |eval StartTime=strftime(startTime,"%Y-%m-%d %H:%M:%S,%3N")|eval EndTime=strftime(endTime,"%Y-%m-%d %H:%M:%S,%3N")
|table id,Info,StartTime,EndTime,responseTime,StatusCode,StatusMessage,source,corpEntCd,Costlvlpctl,cptCode,GroupNbr,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,provassignZip,memzipassignzip

could you please help me in this while adding those above code into my search am getting results but responsetime is coming because am loosing the time for outbound message because i nedd to display the transaction starttime endtime in the final result...thanks in advance..

0 Karma
Highlighted

Re: How to search for all events for a transaction if there is no unique ID?

Explorer

index=ccspprdwas source="/usr/WASLogs700/cdhpws_/cdhpws/logs/application.log" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Inbound Message" OR "Outbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode" OR "provZipCode assigned to zipCode" OR "bnftAgrmtNbr" | rex "ID:(?.)" |rex "(?Inbound|Outbound)" | eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield by id.....
am using this query in the production ...Their has 1 or 2 requests not properly combined because ,,,for those requests will have first outbound message and afterwards inbound message.......could you please tell me how can i change the query....
thanks in advance....

0 Karma
Highlighted

Re: How to search for all events for a transaction if there is no unique ID?

SplunkTrust
SplunkTrust

Any specific reasons why the outbound message came before inbound? My answers rely on the order of inbound and outbound messages and will not work if the order is changed.

0 Karma
Highlighted

Re: How to search for all events for a transaction if there is no unique ID?

Explorer

I don't Know... Even i have check the timestamp..time stamp is good ...once inbound processed then only outbound message processing ..but in the logs it has written like that..for some of the requests...

0 Karma
Highlighted

Re: How to search for all events for a transaction if there is no unique ID?

SplunkTrust
SplunkTrust

May be your need to sort the events by timestamp so that order is proper? Try adding | sort 0 -_time before eval transfield.

0 Karma
Highlighted

Re: How to search for all events for a transaction if there is no unique ID?

Explorer

sometimes simultaneously 2 requests are processing ...that's why i am getting the at a time 2 Inbound and outbound messages.... like this order
outbound 28773
inbound 28773
outbound 28772
outbound 28771
inbound 28772
inbound 28771

0 Karma