Re: Finding events immediately following/preceding...

AjayTakur · ‎04-19-2023

I have to search for events

I have one event let's say MIT=" step started"
and another event says MIT=" step completed"

Now I have to ensure that both events have been included in my search criteria
in such a way that

Case 1:The first event is started the second event will get completed.

Case 2: If the first event is not started then the second event will also not be complete.
Considering these conditions I need search criteria.

woodcock · ‎04-20-2023

Never use the "transaction" command for production. Try this:

index="YourIndexHere" AND sourcetype="YourSourcetypeHere" AND MIT IN("step started", step completed")
| stremstats count(eval(MIT="stepstarted")) AS SessionID BY host ```And maybe other fields here```
| stats min(_time) AS _time range(_time) AS duration dc(MIT) AS MITcount values(MIT) AS MIT BY host ``And maybe other fields here```

inventsekar · ‎04-19-2023

Hi @AjayTakur

the question is bit confusion, but, nevertheless, basically you need Splunk's transaction command:

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Transaction#Basic_Examples

Very basic rough draft SPL:

index=a source=b sourcetype=c 
| transaction MIT startswith=" step started" endswith=" step completed" maxspan=2s

AjayTakur · ‎04-20-2023

for two different events ie., started and successful the successful might not be an event happening after started then, in this case, is this search criteria correct?

index=a source=b | transaction startswith=MIT="Local Step started." endswith=MIT="Copy step successful." keepevicted=true | search closed_txn=0

How to find events immediately following/preceding another event?

count

fields

join

lookup

search job inspector

stats

subsearch

table

transaction

tstats

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...