×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
rish_raw
New Member
Member since: ‎01-09-2025
‎01-10-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-09-2025
View All

Re: Two syslogs usually together but need to repor...

by SplunkTrust in Splunk Search
‎01-11-2025 07:07 PM
‎01-11-2025 07:07 PM
Actually, I think transaction should work in this case.  @bowesmana is correct that your command is missing host as parameter.  But more than that, it is also missing option keeporphans.  Also the determinant is not eventcount but closed_txn.   | transaction host maxspan=5m keeporphans=true startswith="%ROUTING-LDP-5-NSR_SYNC_START" endswith="%ROUTING-LDP-5-NBR_CHANGE" | where closed_txn != 1 | stats count by host   Apply the above to this mock dataset: _raw _time host 1 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:02:45 host1 2 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:02:39 host2 3 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:02:33 host3 5 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:02:21 host0 6 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:02:15 host1 7 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:02:09 host2 8 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:02:03 host3 9 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:57 host4 10 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:51 host0 11 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:01:45 host1 13 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:01:33 host3 14 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:01:27 host4 15 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:01:21 host0 16 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:15 host1 17 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:09 host2 18 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:01:03 host3 19 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:57 host4 20 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:51 host0 21 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:00:45 host1 22 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:00:39 host2 23 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:00:33 host3 25 %ROUTING-LDP-5-NBR_CHANGE 2025-01-11 19:00:21 host0 26 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:15 host1 27 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:09 host2 28 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 19:00:03 host3 29 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 18:59:57 host4 30 %ROUTING-LDP-5-NSR_SYNC_START 2025-01-11 18:59:51 host0 You get host count host2 1 host4 2 Here is an emulation that produces the above mock data   | makeresults count=30 | streamstats count as _count | eval _time = _time - _count * 6 | eval host = "host" . _count % 5 | eval _raw = _count . " " . mvindex(mvappend("%ROUTING-LDP-5-NSR_SYNC_START", "%ROUTING-LDP-5-NBR_CHANGE"), -ceil(_count / 5) %2) | search NOT (_count IN (4, 12, 24) %ROUTING-LDP-5-NBR_CHANGE) ``` the above emulates index = test ("%ROUTING-LDP-5-NSR_SYNC_START" OR "%ROUTING-LDP-5-NBR_CHANGE") ```   Play with it and compare with real data. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-10-2025 04:42 PM