Good Day, I am trying to come up with ideas to translate a Sumo Trasactional search with (States) Conditions to a Splunk Query. If anyone can provide some other options, please let me know.
Here is my sample Sumo search:
_sourceCategory=prod/app/m/* and "statement" and ("Search Keys" or "STATUS=ERROR" or Error)
| parse "[ID=*]" as MID nodrop
| transactionize MID (merge MID takeFirst, _raw join with "\n\n")
| transaction on ORGID, EVENT, ORDER, FACILITY with "*A request to obtain a channel subscription failed*" as NO_SUB, with "*M cannot be discontinued*" as NO_DC, with "*Person not found*" as NO_PERSON
| (NO_SUB + NO_DC + NO_PERSON) as Total
| fields ORGID, EVENT, ORDER, FACILITY, Total, NO_SUB, NO_DC,NO_PERSON
| sort by Total, ORGID, EVENT, ORDER
//| sort by ORGID, EVENT
Splunk Search so far:
index=hhh_m_prod sourcetype=mirth* MID=* CID=* acctnumber=* facility=* orgid=* "Statement" ("Search Keys" OR "STATUS=ERROR" OR "Error")
| fillnull value="NULL" | transaction MID
| eval NO_DC=if(match(_raw, "M cannot be discontinued*"), "Yes", "No")
| eval NO_SUB=if(match(_raw, "A request to obtain a channel subscription failed*"), "Yes", "No")
| eval NO_PERSON=if(match(_raw, "Person not found*"), "Yes", "No")
| transaction ORGID EVENT ORDER FACILITY
| eval Total=sum(NO_SUB, NO_DC, NO_PERSON
| table ORGID, EVENT, ORDER, FACILITY, Total, NO_SUB, NO_DC,NO_PERSON
| sort by Total ORGID EVENT ORDER | sort by ORGID, EVENT
** I am lost for ideas in running the conditional transaction statements... Should I use more eval statements, or setup a transactiontypes.conf?