Splunk Search

Search to Pull Values from START log

_gkollias
SplunkTrust
SplunkTrust

I have a search that monitor's failed PO's.

Essentially the idea is to monitor the overall state of the txn, and whether it fails..so I calc latest(status) as Exit_Status to find the overall status of a transaction.

What happens when the txn fails, though, is we lose valuable customer information from the START log that our support could really use in determining the root cause.

How can I pull the values from the START LOG, but still monitor the overall status of the PO?

Here is my search:

index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=*fail bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id) | stats earliest(_time) as start_time, latest(_time) as end_time, first(svc_context_name) as svc_context_name, first(FromIdentity) as FromIdentity, first(TPCode) as TPCode, first(PONumber) as PONumber, latest(status) as exit_status, first(other) as exit_message by marker | eval duration=end_time-start_time | eval _time=start_time|convert ctime(start_time) ctime(end_time)

The output of the alert typically has blank fields for the PO Number, TPCode, and FromIdentity.

I have been playing around with the search, but I haven't been able to pull those values from the start log of the order in to the alert when monitoring the overall status of FAIL.

Any suggestions would be awesome...thanks in advance!!

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

I don't have the status values for start and end log, so please update that accordingly, in line 3.

index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=fail* bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id) 
| transaction marker startswith="status=START" endswith="status=ERROR OR status=COMPLETE" 
| eval end_time=_time+duration | eval start_time=_time |convert ctime(start_time) ctime(end_time) 
|eval exit_status=mvindex(status,0) | eval exit_message=mvindex(other,0)
| table marker start_time end_time svc_context_name FromIdentity TPCode PONumber exit_status exit_message
0 Karma

_gkollias
SplunkTrust
SplunkTrust

Thanks for the response. I'm not getting any results back after updating the third line...index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=fail* bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id)
| transaction marker startswith="status=START" endswith="FAIL*"
| eval end_time=_time+duration | eval start_time=_time |convert ctime(start_time) ctime(end_time)
| eval exit_status=mvindex(status,0) | eval exit_message=mvindex(other,0)
| table marker start_time end_time svc_context_name FromIdentity TPCode PONumber exit_status exit_message

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...