Hi everyone! We want to get the new errors that don't appear yesterday. For example, if an action named A. Its yesterday's error codes are A1, A2, A3. But its today's error codes are A1, A2, A4, A5. A4 and A5 are new errors. The fields we use in Splunk is below: application: the name of an application transId: the name of an action in our system errorCode: the error code of an action once an exception occurred The result we want to get for the example above is like below: application transId errorCode exp A A4 exp A A5   I've tried subsearch but it doesn't work well! Subsearch will be auto-finalized after 60s! ... View more

Background information In our system,  every visit consists of one or more actions. Every action has its own name and in Splunk it's a field named "transId". Every time an action is triggered, it has a unique sequence and in Splunk it's a field named "gsn". A customer has his unique id and in Splunk it's a field named "uid". During the period of a customer visit our system, he has a unique session id and in Splunk it's a field named "sessionId". If we want to locate a complete operation of a user, we need to use uid and sessionId together. Like many other systems, the order of actions in our system is fixed, under normal circumstances. What we want We want to create an alter to monitor the abnormal order of actions. For example, an important action named "D", it is at the end of an action-chain. Under normal circumstances, you must  access our system by the order of actions "A B C D". But some hackers may skip the trans B, which may be an action that verify his identity. The problem is that I don't know the command to get abnormal results. We can accept that we need to input the order of actions for every action-chain. It's better to read the order by configuration file. What I've tried   | stats count by sessionId uid transId gsn _time | sort 0 sessionId uid _time   I can get every use's order of actions by this command. Can you give me some advice? If you want to get more information, you can ask me here. Best wishes! ... View more

Hey partner In my system, every visit consist of one or more transactions and every has its global serial number, which is unique(gsn for short). A transaction may produce many rows of logs, which is event in Splunk,  but it has the same gsn. A transaction always ends with "trans end transName", while the "transName" means the name of the transaction, a transaction named Test ends with "trans end Test", for example. Every transaction's name is unique and just appear once per gsn. I can get the transaction's name by using the command below.       rex "trans end (?<transName>\w+)"        I want to fill a common transName field for every event. For example, a transaction log 3 rows, which are treated as 3 events in Splunk. Its gsn is 10000 and its raw logs is like below:       GlobalseqNo:10000 trans end Test GlobalseqNo:10000 log 2 GlobalseqNo:10000 log 1       When I just use the command below, the result is like the table below       rex "trans end (?<transName>\w+)" | table gsn transName       gsn transName 10000 Test 10000   10000      I want to fill a common transName field for every event. So when there are a lot of transactions, the command above will produce the result below gsn transName 10000 Test 10000 Test 10000 Test 10001 A 10001 A 10002 B 10002 B ... View more

Background In my system, every visit consist of one or more transactions and every has its global serial number, which is unique(gsn for short). A transaction may produce many rows of logs but it has the same gsn. A transaction always ends with "trans end transName", while the "transName" means the name of the transaction, a transaction named Test ends with "trans end Test", for example. Every transaction's name is unique. Questions Now I have a transaction named A, which in some case will do something specially and log "special". But other transactions will log "special" too. And most 1 "special" and 1 "trans end A" per gsn. How can I get the rate of transaction A that goes this way by just one command or, some fast ways than subsearch? Tried Below is what I've tried. The subsearch runs very slowly, which takes 5 min at least. If there's no one-command way, I want to get a  way faster than subsearch.     //get the count of transaction A "trans end A" | stats count //get the count of transaction A that runs specially join type=inner gsn [search "trans end A"] | regex "special" | stats count       ... View more