Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using subsearch?

shangshin
Builder
‎11-06-2012 07:37 AM

Hi,
I have a log file with 3 columns, timestamp, processID and state. When the process starts or ends, a row is inserted into the log file. What's the best search string to find out all jobs in start state?

Thanks in advance!

time PID   State 
9:22 1000  start
9:23 2000  start
9:24 3000  start
9:25 4000  start
9:26 5000  start
9:37 2000  end
9:38 4000  end
9:39 6000  start
9:40 7000  start
9:41 5000  end
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎11-06-2012 08:32 AM

I don't think a subsearch would be of any use in your scenario. Rather I'd advise you to use transaction or stats. Both can be used to group events by PID and then show you the groups that have a start event but no end event.

Using stats, it would be something like:

... | stats count,values(State) by PID | where count<2

And similarly, using transaction:

... | transaction PID | search eventcount<2

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎11-06-2012 08:32 AM

I don't think a subsearch would be of any use in your scenario. Rather I'd advise you to use transaction or stats. Both can be used to group events by PID and then show you the groups that have a start event but no end event.

Using stats, it would be something like:

... | stats count,values(State) by PID | where count<2

And similarly, using transaction:

... | transaction PID | search eventcount<2
Reply
Solved! Jump to solution

shangshin
Builder
‎11-07-2012 12:18 PM

That's execellent. Thank you very much!

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎11-06-2012 01:40 PM

Sure - the transaction command always produces two fields, eventcount and duration. We already used eventcount for the answer to your first question, and you could use duration for your second - it simply holds the duration, in seconds, of each transaction.

Reply
Solved! Jump to solution

shangshin
Builder
‎11-06-2012 12:26 PM

I like the solution using transaction. Is there a way to find out the total traction time?
E.g. the PID 2000 took 14 minutes using the above sample log.

This will be very useful.

Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

APP DEVELOPER TECH TALK Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...