Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search for a sequence of events in a transaction

gundepalli
Explorer
‎01-10-2014 11:28 AM

I have a log file that I am grouping the events using transaction command based on session ID. Within each transaction i need to find two events (event A and event B)that occur in a sequence and the second event being the last event in the transaction. I need only transactions that have event A.
Here is what I have so far:

index=xyz | transaction sessionid endswith="event B" | search "event A" .

The above query pulls all transactions that surely have "event A" and ends with "event B". But how do i pull only events that have "event A" followed by "event B" , event B being the last event in the transaction.

Help appreciated.
Thanks in advance

Tags (2)
Reply

sowings
Splunk Employee
Splunk Employee
‎01-10-2014 11:49 AM

EDIT: We want to find the entire transaction, but filter down the set to only those in which event B was last. I'm going to assume that there's some field that differentiates event A from event B, and further, for the example below, I'm going to assume that the value of that field is either A or B (or something else as appropriate). Let's call this field event_id.

index=xyz | transaction mvlist=event_id sessionid | where mvindex(event_id, -1) == "B"

This says "build a transaction across the sessionid, treating the event_id field as a multi-value field", then "filter events where the last value of the event_id multi-value field is "B". Hopefully you've got fields within your events that enable such a search. If not, it gets a bit more complicated.

Reply

sowings
Splunk Employee
Splunk Employee
‎01-10-2014 12:00 PM

Oh, I see. When you dictate "endswith", you declare that the transaction ends with event B, so Splunk will say "oh, that transaction's done, next!", and it will always appear that event B was the last event. I'll edit my above post to reflect what you want.

0 Karma
Reply

gundepalli
Explorer
‎01-10-2014 11:55 AM

I would like to see all the events in the transaction that has event B as the last event and the one preceding it as event A. the above search wouldonly have transactions with event A and B which is not what i want.

0 Karma
Reply

gundepalli
Explorer
‎01-10-2014 11:40 AM

yes, Event B always follows event A. They are consecutive events. Event A and Event B are the only once i care about in the transaction and need to pull just those transactions.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎01-10-2014 11:37 AM

And are event A and event B the only events you care about in this transaction?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2014 11:36 AM

I'm confused. If the transaction contains Event A and ends with Event B then won't Event B always follow Event A? Do you mean no intervening events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...