Splunk Search

How to write search to find number of Splunk transaction that start and end with certain condition?

btcs2
Engager

I need to find number of events that start with certain conditions and ends with certain condition . 

example 

index="*" source="*" | transacton startWith=C OR D endWith=A OR B 

Need to find count .. 

How to do it ?

Labels (1)
Tags (2)
0 Karma

fredclown
Builder

Is something like this what you are looking for? All the stuff before the transaction command is just to create some test events.

| makeresults count=12
| streamstats count
| eval _time=_time + count
| eval value = case(count=1, "A", count=2, "C", count=3, "A", count=4, "D", count=5, "B", count=6, "C", count=7, "B", count=8, "D", count=9, "A", count=10, "F", count="11", "A", count="12", "G")
| eval ip = "192.168.0.1"
| transaction ip startswith=eval(value="A" OR value="B") endswith=eval(value="C" OR value="D")

 

0 Karma

btcs2
Engager

No transaction startwith  is not working with multiple OR .. one start with and multiple end with is working . so do we have a solution for this ?

Tags (2)
0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

I grabbed the Splunk tutorial data (from googling "splunk search tutorial") for this example.

source="tutorialdata.zip:*"
| transaction clientip JSESSIONID startswith=(action=addtocart) endswith=(action=purchase)

Note - the syntax for the startswith and endswith keyword specifications/filters. A transaction is created for each unique pair of clientip and JSESSIONID with succesful add's to cart and purchase.

Hope this helps.

0 Karma

btcs2
Engager

yes this will work . my question is that how to add multiple start with and multiple end with .. or alternative for the transaction .

index="prod" source="mysource" | transaction startswith="create happening for test" endswith=("create done for test " OR "create not done for test" )|stats count

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

I'll do my best to make pseudo SPL here:)

index="prod" source="mysource"

| transaction startswith=(fieldname=start_field_value OR filename=alternate_start_field_value) endswith=(diff_fieldname=end_value OR diff_fieldname2=alternate_fieldvalue)

|stats count

You will need to encapsulate your search in "()". If you could share field names, values desired, that would help.

I used  an old eventgen data set and came up with the following. You can use this with your index(es), sourcetypes, etc. 

index=main
| transaction clientip JSESSIONID startswith=(status=200 action=addtocart) endswith=(status=200 AND action=purchase)
| stats count by host

You can insert SPL into the "()" to define start and end. I would avoid using clear text search for any of the start/end filters though.

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

When you use "transaction", there is a field created called "eventcount" which shows how many events are in each transaction. You can look for max eventcount, stats count by, etc .... 

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...

Splunk Smartness with Patrick Tatro | Episode 4

Welcome to another episode of "Splunk Smartness," where we explore how Splunk Education can revolutionize your ...