Splunk Search

search for a sequence of events in a transaction

gundepalli
Explorer

I have a log file that I am grouping the events using transaction command based on session ID. Within each transaction i need to find two events (event A and event B)that occur in a sequence and the second event being the last event in the transaction. I need only transactions that have event A.
Here is what I have so far:

index=xyz | transaction sessionid endswith="event B" | search "event A" .

The above query pulls all transactions that surely have "event A" and ends with "event B". But how do i pull only events that have "event A" followed by "event B" , event B being the last event in the transaction.

Help appreciated.
Thanks in advance

Tags (2)

sowings
Splunk Employee
Splunk Employee

EDIT: We want to find the entire transaction, but filter down the set to only those in which event B was last. I'm going to assume that there's some field that differentiates event A from event B, and further, for the example below, I'm going to assume that the value of that field is either A or B (or something else as appropriate). Let's call this field event_id.

index=xyz | transaction mvlist=event_id sessionid | where mvindex(event_id, -1) == "B"

This says "build a transaction across the sessionid, treating the event_id field as a multi-value field", then "filter events where the last value of the event_id multi-value field is "B". Hopefully you've got fields within your events that enable such a search. If not, it gets a bit more complicated.

sowings
Splunk Employee
Splunk Employee

Oh, I see. When you dictate "endswith", you declare that the transaction ends with event B, so Splunk will say "oh, that transaction's done, next!", and it will always appear that event B was the last event. I'll edit my above post to reflect what you want.

0 Karma

gundepalli
Explorer

I would like to see all the events in the transaction that has event B as the last event and the one preceding it as event A. the above search wouldonly have transactions with event A and B which is not what i want.

0 Karma

gundepalli
Explorer

yes, Event B always follows event A. They are consecutive events. Event A and Event B are the only once i care about in the transaction and need to pull just those transactions.

0 Karma

sowings
Splunk Employee
Splunk Employee

And are event A and event B the only events you care about in this transaction?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm confused. If the transaction contains Event A and ends with Event B then won't Event B always follow Event A? Do you mean no intervening events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...