Splunk Search

How do I search for the Errored Transaction_IDs ONLY, then take those Errored TIDs and search for each entry related to them?

shariefc
New Member
index=my_server sourcetype=server1_log NOT "status=SUCCESS" "client_id=my_client"

returns

TID=0101010101 client_id=my_client action=response status=ERROR 
TID=0101010102 client_id=my_client action=response status=ERROR 
TID=0101010103 client_id=my_client action=response status=ERROR 

Now I want to take the list of Errored TIDs the first search returns and do another search that returns everything related to each TID including the parts that were successful.

TID=0101010101 client_id=my_client action=request status=SUCCESS
TID=0101010101 client_id=my_client action=begin status=SUCCESS
TID=0101010101 client_id=my_client action=middle status=SUCCESS
TID=0101010101 client_id=my_client action=end status=SUCCESS
TID=0101010101 lient_id=my_client action=response status=ERROR
...
TID=0101010102 client_id=my_client action=request status=SUCCESS
TID=0101010102 client_id=my_client action=begin status=SUCCESS
TID=0101010102 client_id=my_client action=middle status=SUCCESS
TID=0101010102 client_id=my_client action=end status=SUCCESS
TID=0101010102 lient_id=my_client action=response status=ERROR
...
TID=0101010103 client_id=my_client action=request status=SUCCESS
TID=0101010103 client_id=my_client action=begin status=SUCCESS
TID=0101010103 client_id=my_client action=middle status=SUCCESS
TID=0101010103 client_id=my_client action=end status=SUCCESS
TID=0101010103 client_id=my_client action=response status=ERROR
0 Karma
1 Solution

ryoji_solsys
Explorer

Would you like to try this ...

index=my_server sourcetype=server1_log  [ | search index=my_server sourcetype=server1_log NOT "status=SUCCESS" "client_id=my_client" | fields TID]

View solution in original post

0 Karma

ryoji_solsys
Explorer

Would you like to try this ...

index=my_server sourcetype=server1_log  [ | search index=my_server sourcetype=server1_log NOT "status=SUCCESS" "client_id=my_client" | fields TID]
0 Karma

shariefc
New Member

This worked perfctly. Thanks ryoji_solsys.

transaction fields=TID

WOW!!!! I think you know what I wanted better than I did. This is perfect!!!!! Thanks for all the help everyone.

0 Karma

shariefc
New Member

This worked perfctly. Thanks ryoji_solsys.

0 Karma

ryoji_solsys
Explorer

If you want all the events to be in one transaction, just add | transaction fields=TID at the end of the query above.

E.g.

index=my_server sourcetype=server1_log [ | search index=my_server sourcetype=server1_log NOT "status=SUCCESS" "client_id=my_client" | fields TID] | transaction fields=TID
0 Karma

sundareshr
Legend

Try this

index=my_server sourcetype=server1_log | extract pairdelim=" " kvdelim="=" | eventstats count(eval(status="ERROR")) as err by client_id TID | where err>0 
0 Karma

shariefc
New Member

Thanks sundareshr I tried this but it was not exactly what I wanted. Maybe I didn't explain myself properly.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...