Searching for the last 100 events, irrespective of...

JeremyJ123 · ‎11-18-2021

I am trying to search through transactions and check their response codes so that we can determine a percentage of failed/declined transactions. However, based on the fact that transactions could be limited to 5-10 per hour or could go as high as 1000 per hour, I need a way to check every 100 events/transactions, how many were approved and how many were declined.

I have not found a way to search for the last 100 while ignoring the time period, i.e. if i search for the last 5 minutes for 100 transactions/events it may only return 2, I need it to go past the 5 minutes and find the last 100 transactions. If i increase the search time to 30 minutes, it may find 100 but there could be 1000, and this is not an accurate reflection of the percentage of approved/declined transactions

PickleRick · ‎11-18-2021

No. Splunk's indexes are time-based. There is no inherent eventID to select events by. You could number events by streamstats and select by that sequence number but...

1) it's highly inefficient (you have to streamstats all events from given time range)

2) You're still limited to your initial time range regardless of how many events you get there.

Searching for the last 100 events, irrespective of time

other

stats

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms