transaction alternative

jhnworks · ‎06-29-2018

Have data in the following format ;
1:26:[06/28/2018][08:00:00.149][6959][3868982128][s537565/r17][servername1][filename.cpp:27][ActionMessage::ProcessMessage][][][][][][][][][][][][][][][][** Received request.][servername2]
2:26:[06/28/2018][08:00:00.159][6959][3868982128][s537565/r17][servername1][filename.cpp:57][ActionMessage::ProcessMessage][global1][global2][][][][Millz][][][][][][][][][][** Status: Authorized. ][]

3:26:[06/28/2018][08:00:00.149][6959][4005350256][s537565/r17][servername1][filename.cpp:27][ActionMessage::ProcessMessage][][][][][][][][][][][][][][][][** Received request.][servername2]
4:26:[06/28/2018][08:00:00.159][6959][4005350256][s537565/r17][servername1][filename.cpp:57][ActionMessage::ProcessMessage][global1][global2][][][][Millz][][][][][][][][][][** Status: Authenticated. ][]

| transaction field5 host maxevents=5 startswith="** Received*" endswith="** Status*" | sort -duration| table field25, duration

Need the table as
** Status: Authorized. .010
** Status: Authenticated. .010

However it results as
** Received request.
** Status: Authorized. .010
** Received request.
** Status: Authenticated. .010

What's the best way to normalise this and also get table to only have the 'endswith' string ?

FrankVl · ‎06-30-2018

Try this:

| stats range(_time) as duration latest(field25) as field25 by field5
| table field25,duration

transaction alternative

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Join the Conversation

transaction alternative

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives