Search for events occurring outside of two differe...

Splunk Search

I have the following scenario:

There are two transactions that I want to monitor. Both occur randomly, and multiple times. I also want to search for some specific events (Events X). These events come in multiple times as well, but sometime come in during some of those transactions. I want to make a query that searches for all these events That Do NOT occur during any of the transactions.

I have a temporary query that does what I explain, but it only works for 1 type of the two transactions. I also have a temporary query that works for the other type of transaction.

How can I combine them to search for these events that do not occur during both types of transactions?

Here are my queries that work for a single type of transaction:

index="main" OR (<Events X>)
| transaction startswith=<Start_Event1> endswith=<End_Event1> keeporphans=true
| search (<Events X>)

index="main" OR (<Events X>)
| transaction startswith=<Start_Event2> endswith=<End_Event2> keeporphans=true
| search (<Events X>)

Any feedback helps.

Get Updates on the Splunk Community!

Search for events occurring outside of two different transactions.

fields

stats

transaction

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?