Splunk Search

How to write search to find number of Splunk transaction that start and end with certain condition?

btcs2
Engager

I need to find number of events that start with certain conditions and ends with certain condition . 

example 

index="*" source="*" | transacton startWith=C OR D endWith=A OR B 

Need to find count .. 

How to do it ?

Labels (1)
Tags (2)
0 Karma

fredclown
Builder

Is something like this what you are looking for? All the stuff before the transaction command is just to create some test events.

| makeresults count=12
| streamstats count
| eval _time=_time + count
| eval value = case(count=1, "A", count=2, "C", count=3, "A", count=4, "D", count=5, "B", count=6, "C", count=7, "B", count=8, "D", count=9, "A", count=10, "F", count="11", "A", count="12", "G")
| eval ip = "192.168.0.1"
| transaction ip startswith=eval(value="A" OR value="B") endswith=eval(value="C" OR value="D")

 

0 Karma

btcs2
Engager

No transaction startwith  is not working with multiple OR .. one start with and multiple end with is working . so do we have a solution for this ?

Tags (2)
0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

I grabbed the Splunk tutorial data (from googling "splunk search tutorial") for this example.

source="tutorialdata.zip:*"
| transaction clientip JSESSIONID startswith=(action=addtocart) endswith=(action=purchase)

Note - the syntax for the startswith and endswith keyword specifications/filters. A transaction is created for each unique pair of clientip and JSESSIONID with succesful add's to cart and purchase.

Hope this helps.

0 Karma

btcs2
Engager

yes this will work . my question is that how to add multiple start with and multiple end with .. or alternative for the transaction .

index="prod" source="mysource" | transaction startswith="create happening for test" endswith=("create done for test " OR "create not done for test" )|stats count

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

I'll do my best to make pseudo SPL here:)

index="prod" source="mysource"

| transaction startswith=(fieldname=start_field_value OR filename=alternate_start_field_value) endswith=(diff_fieldname=end_value OR diff_fieldname2=alternate_fieldvalue)

|stats count

You will need to encapsulate your search in "()". If you could share field names, values desired, that would help.

I used  an old eventgen data set and came up with the following. You can use this with your index(es), sourcetypes, etc. 

index=main
| transaction clientip JSESSIONID startswith=(status=200 action=addtocart) endswith=(status=200 AND action=purchase)
| stats count by host

You can insert SPL into the "()" to define start and end. I would avoid using clear text search for any of the start/end filters though.

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

When you use "transaction", there is a field created called "eventcount" which shows how many events are in each transaction. You can look for max eventcount, stats count by, etc .... 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...