I am trying to write a Splunk search such that I have to return the number of Delivery receipts (event2) that are not received for the message sent to the aggregator (event1). I have tried a couple of searches and doesn’t worked. ANY HELP WILL BE GREATLY APPRECIATED.
The fields that plays role here are:
Message , message id
Note: Here field message =" MEESAGE SENT WITH AGGREGTAOR ID " and " DeliverReceipt" are fixed,
only messageid filed is dynamic. That filed should be matched from one event and other event.
Criteria/search pattern should be something like:
Look value of message filed =” message sent with aggregator Id” and message id in event 1 and compare that with message =”DeliveryReceipt” and message id value in event2 and return the values that are not matched.
When message sent to aggregator –event1
{
"@timestamp" : "2016-05-13T15:48:16.671+00:00",
"@version" : 1,
"message" : "Message sent with aggregator id",
"logger_name" : "com..sms.gateway.smpp.SmppGateway",
"thread_name" : "syniverse-1",
"level" : "INFO",
"level_value" : 20000,
"HOSTNAME" : "OMSL",
"ip" : "169.254.235.75",
"context" : "sms-gateway-service",
"Aggregator" : "SYNIVERSE",
"id" : "daf753f3-fb3a-41a7-a217-a8ca1eca4e96",
"messageid" : "102420318801461823028868"
}
When acknowledgment received from aggregator – event2
{
"@timestamp" : "2016-05-13T16:36:15.901+00:00",
"@version" : 1,
"message" : "DeliveryReceipt",
"logger_name" : "com.sms.gateway.service.DeliveryReceiptHandlerService",
"thread_name" : "ExecutorService-1",
"level" : "INFO",
"level_value" : 20000,
"HOSTNAME" : "OMSL",
"ip" : "169.254.235.75",
"context" : "sms-gateway-service",
"sub" : 1,
"dlvrd" : 1,
"err" : "000",
"submitDate" : "1512101924",
"messageid" : "102420065671445451529869",
"state" : 2,
"text" : "ext:hello",
"doneDate" : "1512101924"
}
Give this a try (assuming field extraction works fine)
your base search | transaction messageid startswith=message="Message sent with aggregator id" endswith=message="DeliveryReceipt" maxevents=2 keepevicted=t | where eventcount=1
Give this a try (assuming field extraction works fine)
your base search | transaction messageid startswith=message="Message sent with aggregator id" endswith=message="DeliveryReceipt" maxevents=2 keepevicted=t | where eventcount=1
Been struggling for over a week and this worked like a charm.
Can you help me in one more step, that, i have a requirement to count the number of those events, and if the count is more than 5 for last 30 minutes , i have to send email.
Thanks for the help.