Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transaction not grouping subsequent filter strings

Naren26
Path Finder
‎08-23-2021 05:01 AM

I am trying to find the occurrence whenever the state changes due to the error. Below are my sample events:

2021/08/01 07:12:12.098 host=12345 In
2021/08/01 07:13:12.098 host=12345 In
2021/08/01 07:14:12.098 host=12345 Out
2021/08/01 07:15:12.098 host=12345 Out
2021/08/01 07:16:12.098 host=12345 In
2021/08/01 07:17:12.098 host=12345 In
2021/08/01 07:18:12.098 host=12345 Out
2021/08/01 07:18:35.098 host=12345 ERROR
2021/08/01 07:19:12.098 host=12345 In
2021/08/01 07:20:12.098 host=12345 Out

I need to group the events when the state (In/Out) changed due an ERROR event. For the above sample events, I should not get any result. Because, when the ERROR event happened, the host is already in "Out" stage. We need to monitor only when a "In" host changes to "Out" due to an ERROR.

I tried the below search

 

index=myindex ("Cut-In" OR "Cut-Out" OR "ERROR")
| rex "host=(?<host>\d+) (?<State>.*)"
| transaction host startswith="State=In" endswith="Out" maxspan=24h
| where searchmatch("ERROR")
| table _time host

 

But the above query returns a result by grouping the "In" state which logged at "07:16:12" as start of the transaction and "07:20:12" as end of the transaction. This is not a valid scenario.

Please help me in framing the logic.

Labels (2)
Labels
0 Karma
Reply

Naren26
Path Finder
‎08-25-2021 05:55 AM

This is not working too. I am still getting the event which should not be picked

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2021 05:59 AM

Given that the runanywhere example works, how does your real data differ from the example?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2021 05:29 AM

Try something like this - note that 07:13 - 07:14 appears as a transaction and 07:12 - 07:15 is an outer transaction which may or may not be what you want, but given this is dummy data, this may just be a quirk of the example you made up.

| makeresults 
| eval _raw="2021/08/01 07:12:12.098 host=12345 In
2021/08/01 07:13:12.098 host=12345 In
2021/08/01 07:14:12.098 host=12345 Out
2021/08/01 07:15:12.098 host=12345 Out
2021/08/01 07:16:12.098 host=12345 In
2021/08/01 07:17:12.098 host=12345 In
2021/08/01 07:18:12.098 host=12345 Out
2021/08/01 07:18:35.098 host=12345 ERROR
2021/08/01 07:19:12.098 host=12345 In
2021/08/01 07:20:12.098 host=12345 Out"
| multikv noheader=t 
| table _raw



| rex "(?<datetime>.*)\shost=(?<host>\d+)\s(?<State>.*)"
| eval _time=strptime(datetime,"%Y/%m/%d %H:%M:%S.%Q")
| sort 0 - _time
| transaction host startswith="State=In" endswith="Out" maxspan=24h
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...