Splunk Search

Search that includes two following events, a call and then the response in the log

EspenLysvik
Explorer

How do I make a search that includes to events. The first event is a 'CALL' with parameters and the second event is the response.

Labels (1)
Tags (2)
0 Karma
1 Solution

EspenLysvik
Explorer

This helped me to find a solution, thank you for your contribution.


index="*" CommonStoredProcedureCallback | transaction startswith="INN-SPORSMAAL-SVAR" maxevents=2 | search "status: F"




View solution in original post

0 Karma

EspenLysvik
Explorer

2022-02-15 11:36:22,486 SQL [http-nnnnnn] [CommonStoredProcedureCallback] [X-CID:yyyyyyyyyyyDb2Connector] CALL PROD.STOREDPROCEDURE (XXXX, YYYYYYY,
2022-02-15 11:36:22,486 INFO [http-nnnnnn] [CommonStoredProcedureCallback] <no.xxxxxxxxx.yyyyy.xx.db.xxxxCallback@12d32496.doInCallableStatement>: status: F

I want both these two as part of the search, the call and the callback.

0 Karma

gcusello
Legend

Hi @EspenLysvik,

if you don't have any ID to group events and events are one after one, you could try something like this:

index=your_index CommonStoredProcedureCallback
| transaction startswith="CALL" maxevents=2
| table _time duration ...

Ciao.

Giuseppe

EspenLysvik
Explorer

This helped me to find a solution, thank you for your contribution.


index="*" CommonStoredProcedureCallback | transaction startswith="INN-SPORSMAAL-SVAR" maxevents=2 | search "status: F"




0 Karma

gcusello
Legend

Hi @EspenLysvik,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

EspenLysvik
Explorer

I want the CALL and the "status: F" to be a part of the search.

Tags (1)
0 Karma

gcusello
Legend

Hi @EspenLysvik,

is there an id or a code to use to group events?

could you share some sample of events.

Ciao.

Giuseppe

 

Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...