Hi all Splunkers!
So transactions.
I have 3 eventtypes, lets call them et-A, et-B and et-C and I want to find all Transactions with the order
where the boundaries are startswith=A and maxpause=30d
95% of cases are
"A->C",
"A->C->C-C"
"A->B->C+" etc.
the ones i want to find are of the structure:
"A->C->B->C"
The search is:
eventtype="et-*" |transaction id startswith=eval(eventtype=="et-A") maxpause=30d|where eventcount>3
Is there any good way to search out transactions with the desired order of events?
Thanks!
Been searching around here in answers for a bit and cant find an equivalent question. So if there is one just answer with a link to that question.
You could set mvlist=t
to make transaction output the eventtype values in the original order, then check that order:
eventtype="et-*" |transaction mvlist=t id startswith=eval(eventtype=="et-A") maxpause=30d|where eventcount>3 AND (mvindex(eventtype,0)=="et-A" AND mvindex(eventtype,1)=="C" AND mvindex(eventtype,2)=="B" AND mvindex(eventtype,3)=="C")
You could set mvlist=t
to make transaction output the eventtype values in the original order, then check that order:
eventtype="et-*" |transaction mvlist=t id startswith=eval(eventtype=="et-A") maxpause=30d|where eventcount>3 AND (mvindex(eventtype,0)=="et-A" AND mvindex(eventtype,1)=="C" AND mvindex(eventtype,2)=="B" AND mvindex(eventtype,3)=="C")