Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search for events occurring outside of two different transactions.

tbrown
Path Finder
‎08-20-2020 12:10 PM

I have the following scenario:

There are two transactions that I want to monitor. Both occur randomly, and multiple times. I also want to search for some specific events (Events X). These events come in multiple times as well, but sometime come in during some of those transactions.  I want to make a query that searches for all these events That Do NOT occur during any of the transactions.

I have a temporary query that does what I explain, but it only works for 1 type of the two transactions. I also have a temporary query that works for the other type of transaction.

How can I combine them to search for these events that do not occur during both types of transactions?

Here are my queries that work for a single type of transaction: 

 

 

index="main" OR (<Events X>)
| transaction startswith=<Start_Event1> endswith=<End_Event1> keeporphans=true
| search (<Events X>)
index="main" OR (<Events X>)
| transaction startswith=<Start_Event2> endswith=<End_Event2> keeporphans=true
| search (<Events X>)

 

 

Any feedback helps.

 

Labels (3)
Labels
Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...