About jlacal

jlacal · ‎07-30-2014

You are the man, it works. Thanks. Now I need to find out how to give you points for providing the answer.

jlacal · ‎07-30-2014

Hello, Somesh: Thank you for putting this together. Unfortunately the code does not seem to do anything for me: I see the exact same timeline graph with my plain search code than by adding your code. I'll play with your code further to see if I can tweak it to my needs.

jlacal · ‎07-30-2014

Howdy: I'm a new Splunker so this may be a dumb question. I have looked around splunk>Answers and couldn't find a solution to my problem, So here it goes. Using Splunk Enterprise 6.1.2 on Mac OS X. This is a follow-up to my earlier question: http://answers.splunk.com/answers/148012/transaction-not-providing-all-events-in-target-range My log files look like this: ... aaRegistration ... ... events during “aaRegistration” phase, all with datestamp ... aaCalibration .. .... events during “aaCalibration” phase, all with datestamp ... aaInfo ... ... events during “aaInfo” phase ... aaMarks ... ... events during “aaMarks” phase, all with datestamp ... I want to create a new field (let's call it "phase_name") that describes which "phase" of the program each event belongs to. For example, in the case of: aaRegistration ... ... events during “aaRegistration” phase, all with datestamp ... aaCalibration I want the new field where all events after " aaRegistration" and before " aaCalibration" to have "phase_name" = "aaRegistration" My ultimate goal is to (hopefully) be able to retrieve all events belonging to the "aaRegistration" phase by using the "phase_name" field in a transaction. Thank you. = = = = = = = Hello, Somesh: Here's a set of actual events from my log files. Thank you for your assistance. 2013-12-30 16:11:16 966 LOG-1 aaRegistration 2013-12-30 16:11:17 006 LOG-1 vmstat:... 2013-12-30 16:11:17 007 LOG-1 vmstat:... 2013-12-30 16:11:17 007 LOG-1 vmstat:... 2013-12-30 16:11:17 043 LOG-1 free:... 2013-12-30 16:11:17 043 LOG-1 free: ... 2013-12-30 16:11:17 043 LOG-1 free: ... 2013-12-30 16:11:17 043 LOG-1 free: ... 2013-12-30 16:11:17 066 LOG-1 GetPre.. 2013-12-30 16:11:17 470 LOG-1 Rob... 2013-12-30 16:11:17 490 LOG-1 _Send... 2013-12-30 16:11:17 603 LOG-1 Ro... 2013-12-30 16:11:17 790 LOG-1 _Send... 2013-12-30 16:11:17 800 LOG-1 Ro... 2013-12-30 16:11:17 800 LOG-1 Ro... 2013-12-30 16:11:17 800 LOG-1 _Send... 2013-12-30 16:11:17 810 LOG-1 Ro... 2013-12-30 16:11:17 810 LOG-1 Ro... 2013-12-30 16:21:16 649 LOG-1 CAUGHT AN ERROR: ... 2013-12-30 16:21:16 649 LOG-1 CAUGHT AN ERROR: ... 2013-12-30 16:21:16 649 LOG-1 CAUGHT AN ERROR: ... 2013-12-30 16:21:16 649 LOG-1 CAUGHT AN ERROR: ... 2013-12-30 16:21:16 901 LOG-1 ---------------------------------------- 2013-12-30 16:21:16 904 LOG-1 aaCalibration Unfortunately I can not use [number of events] / [time lapse] between phases as a marker. I have to dynamically create a "counter" that says "aaRegistration starts here, all future events are assigned this label" until the parser encounters an event starting with "aa" that marks the beginning of the next phase. Thanks.

jlacal · ‎07-30-2014

Hello: Not really answering my own question but just posting this as it may be useful to others facing the same issue. "You have to have a common field to match on for the transaction command" From: http://answers.splunk.com/answers/91742/grouping-of-similar-events It looks like I may need to create a new field to use for the "transaction" to group on. Using my example above, I may need to add a new field (let's call it "phase_name") that describes which "phase" of the program each event belongs to. For example: aaRegistration ... ... events during “aaRegistration” phase, all with datestamp ... aaCalibration I may need to add a new field where all events after aaRegistration have "phase_name" = "aaRegistration" Then I may (hopefully) be able to retrieve the "aaRegistration" transaction by using the "phase_name" field.

jlacal · ‎07-29-2014

Howdy: I'm a new Splunker so this may be a dumb question. I have looked around splunk>Answers and couldn't find a solution to my problem, So here it goes. Using Splunk Enterprise 6.1.2 on Mac OS X. transactiontypes.conf has this definition: [aaRegistration] maxspan = 2h maxpause = 2h maxevents = 10000 unifyends = t fields = _time, host, _raw startswith = "::aaRegistration" endswith = "aa" The indexed events already loaded into Splunk look like this: ... aaRegistration ... ... events during “aaRegistration” phase, all with datestamp ... aaCalibration .. .... events during “aaCalibration” phase, all with datestamp ... aaInfo ... ... events during “aaInfo” phase ... aaMarks ... ... events during “aaMarks” phase, all with datestamp ... When I search with this: host=hostA sourcetype="typeB" earliest="05/02/2014:00:00:00" latest="05/03/2014:00:00:00" | transaction name=aaRegistration The result does show the one event that starts the transaction. But I do not get any of the events between the start and the end, just a single event. Question: what do I need to change to be able to see a list of all events that occurred between the start and the end of the “aaRegistration” phase? Pointers appreciated. Thanks.

Posts	5
Solutions	0
Karma Given	1
Karma Received	2
Member Since	‎07-28-2014

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

How to create a new field based on sequence of eve...

Transaction not providing all events in target ran...

Re: How to create a new field based on sequence of...

Re: How to create a new field based on sequence of...

How to create a new field based on sequence of eve...

Re: Transaction not providing all events in target...

Transaction not providing all events in target ran...