Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search to Pull Values from START log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search to Pull Values from START log
I have a search that monitor's failed PO's.
Essentially the idea is to monitor the overall state of the txn, and whether it fails..so I calc latest(status) as Exit_Status to find the overall status of a transaction.
What happens when the txn fails, though, is we lose valuable customer information from the START log that our support could really use in determining the root cause.
How can I pull the values from the START LOG, but still monitor the overall status of the PO?
Here is my search:
index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=*fail bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id) | stats earliest(_time) as start_time, latest(_time) as end_time, first(svc_context_name) as svc_context_name, first(FromIdentity) as FromIdentity, first(TPCode) as TPCode, first(PONumber) as PONumber, latest(status) as exit_status, first(other) as exit_message by marker | eval duration=end_time-start_time | eval _time=start_time|convert ctime(start_time) ctime(end_time)
The output of the alert typically has blank fields for the PO Number, TPCode, and FromIdentity.
I have been playing around with the search, but I haven't been able to pull those values from the start log of the order in to the alert when monitoring the overall status of FAIL.
Any suggestions would be awesome...thanks in advance!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
I don't have the status values for start and end log, so please update that accordingly, in line 3.
index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=fail* bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id)
| transaction marker startswith="status=START" endswith="status=ERROR OR status=COMPLETE"
| eval end_time=_time+duration | eval start_time=_time |convert ctime(start_time) ctime(end_time)
|eval exit_status=mvindex(status,0) | eval exit_message=mvindex(other,0)
| table marker start_time end_time svc_context_name FromIdentity TPCode PONumber exit_status exit_message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. I'm not getting any results back after updating the third line...index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=fail* bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id)
| transaction marker startswith="status=START" endswith="FAIL*"
| eval end_time=_time+duration | eval start_time=_time |convert ctime(start_time) ctime(end_time)
| eval exit_status=mvindex(status,0) | eval exit_message=mvindex(other,0)
| table marker start_time end_time svc_context_name FromIdentity TPCode PONumber exit_status exit_message
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
