Splunk Search

Transaction command in Oracle XML Logging

imarks004
Path Finder

I am trying to do a search that matches on the term of commit, then use the transaction statement to tie it back to everything that has the same OS_Process field but since every event does not contain the term commit, it does not show all the events. Is this possible? This is search "sourcetype=oracle_xml_* commit | transaction OS_Process | table Sql_Text | reverse"

Tags (1)
0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

I'm not sure how to get you 100% there, without playing with the data, but I'd try to avoid using Transaction, as it slows down the search considerably. I might try one of these options and see how close they get you:

[search sourcetype=oracle_xml_* commit | dedup OS_Process | fields OS_Process] 
       | table _time OS_Process Sql_Text 
       | sort OS_Process, _time

[search sourcetype=oracle_xml_* commit | dedup OS_Process | fields OS_Process] 
       | stats values(Sql_Text) by OS_Process

These will do a subsearch of the logs for anything containing "commit" and then pull out just the OS_Process. That way, you can do a search for just logs that actually have a commit in them, speeding up the search. You can then try to do a stats values(), or just a table with the texts. I think the latter is probably closest to what you want, but I'm not sure whether values() will sort the data oddly.

View solution in original post

David
Splunk Employee
Splunk Employee

I'm not sure how to get you 100% there, without playing with the data, but I'd try to avoid using Transaction, as it slows down the search considerably. I might try one of these options and see how close they get you:

[search sourcetype=oracle_xml_* commit | dedup OS_Process | fields OS_Process] 
       | table _time OS_Process Sql_Text 
       | sort OS_Process, _time

[search sourcetype=oracle_xml_* commit | dedup OS_Process | fields OS_Process] 
       | stats values(Sql_Text) by OS_Process

These will do a subsearch of the logs for anything containing "commit" and then pull out just the OS_Process. That way, you can do a search for just logs that actually have a commit in them, speeding up the search. You can then try to do a stats values(), or just a table with the texts. I think the latter is probably closest to what you want, but I'm not sure whether values() will sort the data oddly.

David
Splunk Employee
Splunk Employee

Excellent! I'm glad to hear that solved it for you.

0 Karma

imarks004
Path Finder

Thanks David, this worked great for me.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...