Splunk Search

Transaction Order Out of Sequence Identification

Mick_OBrien
Path Finder

Hi All,

We have an application that gets events in from an external party but occasionally we see out of sequence events that occur due to underlying issues with the MQ interface [guaranteed delivery but not necessarily in correct order].  Identifying out of sequence events would then point to an issue with the underlying MQ. 

Given this set of data..

| makeresults format=csv data="timelogged, formDataId, eventOrder
00:02,AA,2
00:03,AA,3
00:04,AA,3
00:05,AA,4
00:06,AA,5
00:07,AA,9
01:02,BB,2
01:03,BB,3
01:04,BB,3
01:05,BB,4
01:07,BB,9
01:08,BB,5
02:02,CC,2
02:03,CC,3
02:04,CC,3
02:05,CC,4
02:06,CC,5
02:07,CC,9
03:01,DD,1
04:02,EE,2
04:03,EE,4
04:04,EE,3
04:05,EE,9"
| table timelogged, formDataId, eventOrder

...how could the highlighted transactions be identified?

Note: We do not get all types of events and the 'first' event is not usually seen [as indicates an error on vendor side]

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Assuming events are already sorted in time order, try something like this

| streamstats window=1 current=f values(eventOrder) as previous by formDataId
| where previous > eventOrder

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Assuming events are already sorted in time order, try something like this

| streamstats window=1 current=f values(eventOrder) as previous by formDataId
| where previous > eventOrder

Mick_OBrien
Path Finder

@ITWhisperer 

Thank you - that worked

Do you have any links/examples for 'streamstats' and use of 'current' and 'values' clauses?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

In a simple use case you can get similar effect by using the autoregress command. But since streamstats is way more powerful and can also be used in simple cases, people tend to use even for those simple cases 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...