I need to find hosts on which Event B occurred within three minutes of Event A. I'm trying to use transaction, but I seem to be running into the problem that a transaction is marked closed if either maxspan or startswith is satisfied, and I want all three of these constraints to be satisfied:
... | transaction host maxspan=3m startswith(EventCode=A) endswith(EventCode=B)
Event A is far more common than Event B, so I end up with a lot of transactions consisting only of Event A, which is annoying. unifyends=t doesn't work; A and B have nothing in common with each other, so I just end up with Event A-only transactions. I could try to filter by the EventCode field after the transactions are created, but that seems silly; transaction should be able to do this implicitly. Can I do something in the transaction command to make it honor all three constraints? I am running Splunk 4.3.4.
do your transactions with a larger time range, then apply conditions to find the transaction matching your requirements.
... | transaction host maxspan=6m startswith(EventCode=A) endswith(EventCode=B) | search EventCode=B AND duration<=180
do your transactions with a larger time range, then apply conditions to find the transaction matching your requirements.
... | transaction host maxspan=6m startswith(EventCode=A) endswith(EventCode=B) | search EventCode=B AND duration<=180
I'll do this, but I still think transaction should be able to do this itself. It seems inefficient to have to pull back all the solo Event As and then discard most of them.