Splunk Search

How to write a Splunk transaction search that is similar to grep Before and After string pattern

splunkears
Path Finder

Hi,

I wanted to find transactions in logs using "startswith" and "endswith" but my log record does not have a common field to
use in transaction command .. as mentioned in
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Transaction

| transaction "some common field" startswith="begin transaction"  endswith="done" maxpause=2s maxspan=180s

My problem is, in the above command, my record does not have a common value / field in the record that marks the beginning and ending of transaction.

Hence, I wanted to try a different approach... where I search for records with "begin transaction" and then, in those results, would like to get / see results of next following 10-20 records within 180sec span, which have "done" as marker for END of transaction.

Is this doable with Splunk?

Any other suggestions - to get the transactions marked with begin and end as a single unit of record.?

Thanks.

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi splukears,

if you're using transaction in Splunk you are basically using Splunk as big grep environment, because it breaks way to many things within the Splunk search like mapreduce and you will end up getting all _raw data back from the indexers to the search heads.

I would suggest to have a look at the March 2016 session of the virtual .conf https://wiki.splunk.com/Virtual_.conf and have a closer look at the examples on how to use stats with a start or end event. This will give you a way better performance and you will not hit any hidden limit of Splunk.

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi splukears,

if you're using transaction in Splunk you are basically using Splunk as big grep environment, because it breaks way to many things within the Splunk search like mapreduce and you will end up getting all _raw data back from the indexers to the search heads.

I would suggest to have a look at the March 2016 session of the virtual .conf https://wiki.splunk.com/Virtual_.conf and have a closer look at the examples on how to use stats with a start or end event. This will give you a way better performance and you will not hit any hidden limit of Splunk.

cheers, MuS

View solution in original post

dbcase
Motivator

Take a look at the BIN command. Thats what I use when I need to see the events preceding.

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Bin

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The transaction command does not require a common field when using the startswith and endswith options.

---
If this reply helps you, an upvote would be appreciated.

splunkears
Path Finder

Thank you for the quick response. I'm getting zero results, when I do not provide keyword (common field) next to transaction, that's available in both begin record and end record. Can you please suggest, how to get next (all) records within say 30sec span, that starts with (for example) "begin" record. Is this doable?
I after finding records (transactions) that got initiated but did not complete in say 30sec.
Thanks a lot.!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.