Splunk Search

Search that includes two following events, a call and then the response in the log

EspenLysvik
Explorer

How do I make a search that includes to events. The first event is a 'CALL' with parameters and the second event is the response.

Labels (1)
Tags (2)
0 Karma
1 Solution

EspenLysvik
Explorer

This helped me to find a solution, thank you for your contribution.


index="*" CommonStoredProcedureCallback | transaction startswith="INN-SPORSMAAL-SVAR" maxevents=2 | search "status: F"




View solution in original post

0 Karma

EspenLysvik
Explorer

2022-02-15 11:36:22,486 SQL [http-nnnnnn] [CommonStoredProcedureCallback] [X-CID:yyyyyyyyyyyDb2Connector] CALL PROD.STOREDPROCEDURE (XXXX, YYYYYYY,
2022-02-15 11:36:22,486 INFO [http-nnnnnn] [CommonStoredProcedureCallback] <no.xxxxxxxxx.yyyyy.xx.db.xxxxCallback@12d32496.doInCallableStatement>: status: F

I want both these two as part of the search, the call and the callback.

0 Karma

gcusello
Legend

Hi @EspenLysvik,

if you don't have any ID to group events and events are one after one, you could try something like this:

index=your_index CommonStoredProcedureCallback
| transaction startswith="CALL" maxevents=2
| table _time duration ...

Ciao.

Giuseppe

EspenLysvik
Explorer

This helped me to find a solution, thank you for your contribution.


index="*" CommonStoredProcedureCallback | transaction startswith="INN-SPORSMAAL-SVAR" maxevents=2 | search "status: F"




0 Karma

gcusello
Legend

Hi @EspenLysvik,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

EspenLysvik
Explorer

I want the CALL and the "status: F" to be a part of the search.

Tags (1)
0 Karma

gcusello
Legend

Hi @EspenLysvik,

is there an id or a code to use to group events?

could you share some sample of events.

Ciao.

Giuseppe

 

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...