Search for events occurring outside of two differe...

Splunk Search

I have the following scenario:

There are two transactions that I want to monitor. Both occur randomly, and multiple times. I also want to search for some specific events (Events X). These events come in multiple times as well, but sometime come in during some of those transactions. I want to make a query that searches for all these events That Do NOT occur during any of the transactions.

I have a temporary query that does what I explain, but it only works for 1 type of the two transactions. I also have a temporary query that works for the other type of transaction.

How can I combine them to search for these events that do not occur during both types of transactions?

Here are my queries that work for a single type of transaction:

index="main" OR (<Events X>)
| transaction startswith=<Start_Event1> endswith=<End_Event1> keeporphans=true
| search (<Events X>)

index="main" OR (<Events X>)
| transaction startswith=<Start_Event2> endswith=<End_Event2> keeporphans=true
| search (<Events X>)

Any feedback helps.

Get Updates on the Splunk Community!

Search for events occurring outside of two different transactions.

fields

stats

transaction

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?