Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find all events not having a prior event

rune_hellem
Contributor
‎09-08-2020 10:04 AM

Today we had an issue in our production environment - a cluster did restart without a preceding command to restart. Now I want to search our logs to see if this has happened before without us realizing it. I have tried using the transaction command, but I am not sure if it will fix the for me.

We are running WebSpere and whenever a JVM is being started it will log an event like this

 

[9/8/20 8:54:10:653 CEST] 00000001 WsServerImpl  A   WSVR0001I: Server MinSideMember02 open for e-business

 

 If the restart was initiated by an administrator via the console or as a scheduled restart via a script, the following event will be logged 

 

[9/8/20 8:47:57:429 CEST] 000003b8 AdminHelper   A   ADMN1020I: An attempt is made to stop the MinSideMember02 server. (User ID = defaultWIMFileBasedRealm/wasadmin)

 

This is what I have tried (ref this answer)

 

index=production (e-business OR ADMN1020I) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m |search eventcount=1

 

 But - no - it does find all "stop then started", but no the two "started without stopped"-events. 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2020 11:53 AM

Add the keeporphans=true option to the transaction command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rune_hellem
Contributor
‎09-09-2020 06:51 AM

Did try 

index=production (ADMN1020I OR e-business) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m keeporphans=true

but it does not capture te e-business without ADM10201-message 

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...