Splunk Search

Calrification on transaction command

Jananee_iNautix
Path Finder

Hi,

There is a requirement to group the events that startswith"String1" and endswith "String2" as a transaction OR group the events that startswith="String3" and endswith="String4" in the same search query and extract fields.I tried the search query like as follows

index=axr |transaction startwith="String1" endswith="String2" OR transaction startswith="String3" endswith="String4"
But I get error as there is no option to have two startswith and endswith

Is there any way available in splunk to accomplish this requirement? Please advise.The sample logs

20141205::User logged off(String1 of transaction)
.
.
.
.
.
20141206::IBMX_fer:failed to ftp(String3 of transaction)
.
.
.
.
.
20141207 ::No translation(String4 of transaction)
.
.
.
.
.
20141208 ::Processing complete(String2 of transaction)

Tags (1)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Jananee_iNautix,

your transaction will not work because of the startswith="" endswith="" OR startswith="" endswith="" options which are supposed to be provided only once.

if your events only have either string1 or string3 and string2 or string4 then you could try something like this:

your base search to get all needed events | eval mystart=coalesce(string1, string3) | eval myend=if(mystart=string1, string2, string4) | transaction startswith=mystart endswith=myend | ...

Some minor updates to the wording and the search command, based on the two comments below 😉

hope this helps ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Okay, this is way you should always provide some sample logs if asking something....it looks like your string1|2|3|4 is not a field. You really mean a string of words. So first thing to do is, to get those words in some field, because the evals I used are all based on fields called string1 or string2 and so on.

Read more about field extraction here http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/Addfieldsatsearchtime
and use the new cretaed field as shown in my example.

Jananee_iNautix
Path Finder

When worked with the query given by you,the events of transaction involving String3 & String4 doesn't get load.The transaction -String3 &4 is inside the transaction -String1 &2.In such cases,will the query works as expected.I have also uploaded the sample logs in the question.Please take a look at the logs and advise .

0 Karma

MuS
SplunkTrust
SplunkTrust

If your events only contain either String1 or String3 you can test my search command. it will take either String1 or String3 as startswith and depending on startswith sets either String2 or String4 as endswith

0 Karma

Jananee_iNautix
Path Finder

My requirement is like the transaction should start with "String1" and endwith "String2" strictly and the other transaction should startwith="String3" and endswith="String4" striclty.There should not be other combinations .Can you please suggest any way to do that?

0 Karma

lguinn2
Legend

I don't see anything wrong with the initial search of index=axr

0 Karma

MuS
SplunkTrust
SplunkTrust

that's true, but as long as no log examples are provided this is all just if - when - maybe - you - could ... then again one can add another if to check eval myend=if(mystart=string1, string2, string4) ...

0 Karma

gfuente
Motivator

Hello Mus

In your solution you could end up with start with string 1 and ends with string 4 as a valid transaction. And it seems that string 1 would only ends with string 3 (not 3 or 4)

Regards

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...