search currently running jobs

sarora · ‎04-10-2014

If my transaction logs START AND END as mentioned below then I know my transaction completed. But I want to find out transactions that have started but not ended. And I want to do that by looking for PID that have START but no END. How do I write this search query?

INFO 2014-04-10 05:16:16 15696 19126260 [ClassA]: START JOB1
INFO 2014-04-10 05:16:16 15696 19126260 [ClassA]: Perform STEP 1
INFO 2014-04-10 05:16:18 15696 19126260 [ClassA]: Perform STEP 2
INFO 2014-04-10 05:16:18 15696 19126260 [ClassA]: Perform some more STEPS
INFO 2014-04-10 05:16:18 15696 19126260 [ClassA]: END JOB1

Thanks.

somesoni2 · ‎04-10-2014

Try this (assuming PID is an extracted field)

your base search | transaction keeporphans=t PID startswith="START" endswith="END" | where isnull(closed_txn)

This should give all the events which are not part of a completed transaction. You can further summarize as per your need.

sarora · ‎04-11-2014

Thanks for the help.

It didn't work as-is. So I made few adjustments.

base serahc | transaction keepevicted=true pid startswith="START" endswith="END" | search closed_txn=0

This will include transactions that don't start with "START". I want where it always start with "START".

search currently running jobs

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector