Hi,
I am trying to use transaction command to get various calls involved to complete the transactions. In simple english a call may go like this.
App1-Func calls App2-FuncA one event logging
App2-FuncA calls App3-FuncB one event logging
App3-FuncB calls App4-FuncC one event logging
App4-FuncC has exception, writes one exception event
App3-FuncB receives exception, writes one exception event
App2-FuncA receives exception, writes one exception event
App1-Func receives exception, writes one exception event
Every event has same transaction Id so I am able to club all these 7 events into using following command
index=trans or index=except | transaction transactionId
This command, as it should, gives mulivalued fields, hence when I issue a table command, I just get unique values for each field that too sorted.
Is there any way to show all the fiels for all the events involved, in order they appear in the transaction, generating output like.
App Called App, Called Func, Start Time, status, error Message (if status=fail)
App1 App2 FuncA xxxx Pass NA
App2 App3 FuncB yyyy Pass NA
App3 App4 FuncC zzzz Pass NA
App3 App4 FuncC qqqq Fail Something bad happened at FuncC
App2 App3 FuncB aaaa Fail Something bad happened at FuncB
App1 App2 FuncA bbbb Fail Something bad happened at FuncA
App1 - Func cccc Fail Something bad happened at Func
Docs are your friend! 🙂
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
mvlist=<bool> | <field-list>
Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. Defaults to f.
Docs are your friend! 🙂
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
mvlist=<bool> | <field-list>
Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. Defaults to f.
I should get my glasses fixed now 😉 Thanks, this helps.