I have a log file that I am grouping the events using transaction command based on session ID. Within each transaction i need to find two events (event A and event B)that occur in a sequence and the second event being the last event in the transaction. I need only transactions that have event A.
Here is what I have so far:
index=xyz | transaction sessionid endswith="event B" | search "event A" .
The above query pulls all transactions that surely have "event A" and ends with "event B". But how do i pull only events that have "event A" followed by "event B" , event B being the last event in the transaction.
Thanks in advance
I'm confused. If the transaction contains Event A and ends with Event B then won't Event B always follow Event A? Do you mean no intervening events?
yes, Event B always follows event A. They are consecutive events. Event A and Event B are the only once i care about in the transaction and need to pull just those transactions.
EDIT: We want to find the entire transaction, but filter down the set to only those in which event B was last. I'm going to assume that there's some field that differentiates event A from event B, and further, for the example below, I'm going to assume that the value of that field is either A or B (or something else as appropriate). Let's call this field event_id.
index=xyz | transaction mvlist=event_id sessionid | where mvindex(event_id, -1) == "B"
This says "build a transaction across the sessionid, treating the event_id field as a multi-value field", then "filter events where the last value of the event_id multi-value field is "B". Hopefully you've got fields within your events that enable such a search. If not, it gets a bit more complicated.
I would like to see all the events in the transaction that has event B as the last event and the one preceding it as event A. the above search wouldonly have transactions with event A and B which is not what i want.
Oh, I see. When you dictate "endswith", you declare that the transaction ends with event B, so Splunk will say "oh, that transaction's done, next!", and it will always appear that event B was the last event. I'll edit my above post to reflect what you want.