Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Tracking of particular field

N92
Path Finder
‎03-19-2018 06:13 AM

I have two fields from them I want to track particular one field with starting of this & ending of that value. For that, I have written as shown below. Is any correction needed?

| transaction abc xyz startswith=(xyz="something") endswith=(cs_uri_stem="anything") maxspan=1s

Here currently I have added maxspan=1s but I want to check immediate next event with anything value which may occur before 1s.
I want to focus on only immediate next event from abc.

Another question is: Here I am tracking only one value. But how can I track field value in both the field. share any eg.

Tags (1)
0 Karma
Reply

tiagofbmm
Influencer
‎03-19-2018 06:17 AM

Have you checked the 

maxevents
Syntax: maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled.
Default: 1000

That with value 2 will get you the immediate next event with abc value.

0 Karma
Reply

N92
Path Finder
‎03-19-2018 06:29 AM

| transaction abc xyz startswith=(xyz="something") endswith=(xyz="anything") maxevents=2

If I am adding maxevents then it will match xyz's starting & ending value also?

After matching xyz value it will go further & check maxevents for abc field?

0 Karma
Reply

tiagofbmm
Influencer
‎03-21-2018 10:25 AM

Yes.

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...