I need to find number of events that start with certain conditions and ends with certain condition .
example
index="*" source="*" | transacton startWith=C OR D endWith=A OR B
Need to find count ..
How to do it ?
Is something like this what you are looking for? All the stuff before the transaction command is just to create some test events.
| makeresults count=12
| streamstats count
| eval _time=_time + count
| eval value = case(count=1, "A", count=2, "C", count=3, "A", count=4, "D", count=5, "B", count=6, "C", count=7, "B", count=8, "D", count=9, "A", count=10, "F", count="11", "A", count="12", "G")
| eval ip = "192.168.0.1"
| transaction ip startswith=eval(value="A" OR value="B") endswith=eval(value="C" OR value="D")
No transaction startwith is not working with multiple OR .. one start with and multiple end with is working . so do we have a solution for this ?
I grabbed the Splunk tutorial data (from googling "splunk search tutorial") for this example.
source="tutorialdata.zip:*"
| transaction clientip JSESSIONID startswith=(action=addtocart) endswith=(action=purchase)
Note - the syntax for the startswith and endswith keyword specifications/filters. A transaction is created for each unique pair of clientip and JSESSIONID with succesful add's to cart and purchase.
Hope this helps.
yes this will work . my question is that how to add multiple start with and multiple end with .. or alternative for the transaction .
index="prod" source="mysource" | transaction startswith="create happening for test" endswith=("create done for test " OR "create not done for test" )|stats count
I'll do my best to make pseudo SPL here:)
index="prod" source="mysource"
| transaction startswith=(fieldname=start_field_value OR filename=alternate_start_field_value) endswith=(diff_fieldname=end_value OR diff_fieldname2=alternate_fieldvalue)
|stats count
You will need to encapsulate your search in "()". If you could share field names, values desired, that would help.
I used an old eventgen data set and came up with the following. You can use this with your index(es), sourcetypes, etc.
index=main
| transaction clientip JSESSIONID startswith=(status=200 action=addtocart) endswith=(status=200 AND action=purchase)
| stats count by host
You can insert SPL into the "()" to define start and end. I would avoid using clear text search for any of the start/end filters though.
When you use "transaction", there is a field created called "eventcount" which shows how many events are in each transaction. You can look for max eventcount, stats count by, etc ....