Splunk Search

Need to run a transaction search based on the extracted value of another field.

sheloaha
Path Finder

I run a search to find all events relating to a particular transaction number i.e.

index=myindex searchstring | transaction TX_ID | stats avg(duration)

from which I look for an event like the following:

07/22/2019-21:02:12.159 - taskPool-2 - DEBUG [com.batchRequest : Line 374]: UID: xxxxxxxxxxxx4078558 (this is the TX_ID) - Found in manifest file appeal number: 1-28000xxxxx for transaction ID: xxxxxxxx5175 (this is the EFT_ID) and function : Close

I need to take the value of EFT_ID and run a new search looking for all transactions with that particular value in the TX_ID field. I've tried several variations but I'm just not getting it to work. Any ideas on how to accomplish this?

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI sheloaha,
transaction command isn't a very performant command, you should try something different like stats command:

index=myindex searchstring 
| stats earliest(_time) AS earliest latest(_time) AS latest values(EFT_ID) AS EFT_ID count BY TX_ID
| eval duration=avg(latest-earliest)

In this way you have the same fields of the transaction (if you need other fields add them to the stats command using values) but in very less time.
If you want to use this search as a subsearch of another main search, remember to check the number of results you have, because there's the limit of 50,000 results in subsearches.

Bye.
Giuseppe

0 Karma

sheloaha
Path Finder

I have hundreds of transactions happening so I need to be able to group the events by TX_ID. Running the search as above does not give me the duration of each full transaction. My base search is essentially:

index=myindex host=myhost sourcetype=sourcetype1 OR sourcetype=sourcetype2 source=log1 OR source=log2

When I find a transaction that has the event giving an EFT_ID number I need to run a new transaction search using that value as the TX_ID.

0 Karma

sheloaha
Path Finder

The overall goal is to get an end-to-end duration of a transaction. The first search I run gives the duration of the SOAP call. The next part I need is the duration of the associated EFT transaction, which has a different transaction number of the SOAP part. I'm trying to pull the EFT_ID out and use that value to run my original search again but with the new transaction number.

0 Karma

somesoni2
Revered Legend

So you want to search all transactions where TX_ID is EFT_ID you chose/provide?? Are you going to run this for single EFT_ID (provided via dropdown/textbox/manual input to the search) OR all EFT_ID matching some criteria?

0 Karma

mayurr98
Super Champion

did you try this?
index=myindex searchstring | transaction TX_ID EFT_ID | stats avg(duration)

0 Karma

sheloaha
Path Finder

This only separates the line with the EFT_ID into a separate transaction and does not pull any additional events with that number.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...