Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transaction not grouping subsequent filter strings

Naren26
Path Finder
‎08-23-2021 05:01 AM

I am trying to find the occurrence whenever the state changes due to the error. Below are my sample events:

2021/08/01 07:12:12.098 host=12345 In
2021/08/01 07:13:12.098 host=12345 In
2021/08/01 07:14:12.098 host=12345 Out
2021/08/01 07:15:12.098 host=12345 Out
2021/08/01 07:16:12.098 host=12345 In
2021/08/01 07:17:12.098 host=12345 In
2021/08/01 07:18:12.098 host=12345 Out
2021/08/01 07:18:35.098 host=12345 ERROR
2021/08/01 07:19:12.098 host=12345 In
2021/08/01 07:20:12.098 host=12345 Out

I need to group the events when the state (In/Out) changed due an ERROR event. For the above sample events, I should not get any result. Because, when the ERROR event happened, the host is already in "Out" stage. We need to monitor only when a "In" host changes to "Out" due to an ERROR.

I tried the below search

 

index=myindex ("Cut-In" OR "Cut-Out" OR "ERROR")
| rex "host=(?<host>\d+) (?<State>.*)"
| transaction host startswith="State=In" endswith="Out" maxspan=24h
| where searchmatch("ERROR")
| table _time host

 

But the above query returns a result by grouping the "In" state which logged at "07:16:12" as start of the transaction and "07:20:12" as end of the transaction. This is not a valid scenario.

Please help me in framing the logic.

Labels (2)
Labels
0 Karma
Reply

Naren26
Path Finder
‎08-25-2021 05:55 AM

This is not working too. I am still getting the event which should not be picked

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2021 05:59 AM

Given that the runanywhere example works, how does your real data differ from the example?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2021 05:29 AM

Try something like this - note that 07:13 - 07:14 appears as a transaction and 07:12 - 07:15 is an outer transaction which may or may not be what you want, but given this is dummy data, this may just be a quirk of the example you made up.

| makeresults 
| eval _raw="2021/08/01 07:12:12.098 host=12345 In
2021/08/01 07:13:12.098 host=12345 In
2021/08/01 07:14:12.098 host=12345 Out
2021/08/01 07:15:12.098 host=12345 Out
2021/08/01 07:16:12.098 host=12345 In
2021/08/01 07:17:12.098 host=12345 In
2021/08/01 07:18:12.098 host=12345 Out
2021/08/01 07:18:35.098 host=12345 ERROR
2021/08/01 07:19:12.098 host=12345 In
2021/08/01 07:20:12.098 host=12345 Out"
| multikv noheader=t 
| table _raw



| rex "(?<datetime>.*)\shost=(?<host>\d+)\s(?<State>.*)"
| eval _time=strptime(datetime,"%Y/%m/%d %H:%M:%S.%Q")
| sort 0 - _time
| transaction host startswith="State=In" endswith="Out" maxspan=24h
0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti &#x1f389; —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...