Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search to Pull Values from START log

_gkollias
SplunkTrust
SplunkTrust
‎06-03-2014 11:40 AM

I have a search that monitor's failed PO's.

Essentially the idea is to monitor the overall state of the txn, and whether it fails..so I calc latest(status) as Exit_Status to find the overall status of a transaction.

What happens when the txn fails, though, is we lose valuable customer information from the START log that our support could really use in determining the root cause.

How can I pull the values from the START LOG, but still monitor the overall status of the PO?

Here is my search:

index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=*fail bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id) | stats earliest(_time) as start_time, latest(_time) as end_time, first(svc_context_name) as svc_context_name, first(FromIdentity) as FromIdentity, first(TPCode) as TPCode, first(PONumber) as PONumber, latest(status) as exit_status, first(other) as exit_message by marker | eval duration=end_time-start_time | eval _time=start_time|convert ctime(start_time) ctime(end_time)

The output of the alert typically has blank fields for the PO Number, TPCode, and FromIdentity.

I have been playing around with the search, but I haven't been able to pull those values from the start log of the order in to the alert when monitoring the overall status of FAIL.

Any suggestions would be awesome...thanks in advance!!

Tags (1)
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-03-2014 12:51 PM

Try this

I don't have the status values for start and end log, so please update that accordingly, in line 3.

index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=fail* bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id) 
| transaction marker startswith="status=START" endswith="status=ERROR OR status=COMPLETE" 
| eval end_time=_time+duration | eval start_time=_time |convert ctime(start_time) ctime(end_time) 
|eval exit_status=mvindex(status,0) | eval exit_message=mvindex(other,0)
| table marker start_time end_time svc_context_name FromIdentity TPCode PONumber exit_status exit_message
0 Karma
Reply

_gkollias
SplunkTrust
SplunkTrust
‎06-03-2014 12:58 PM

Thanks for the response. I'm not getting any results back after updating the third line...index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=fail* bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id)
| transaction marker startswith="status=START" endswith="FAIL*"
| eval end_time=_time+duration | eval start_time=_time |convert ctime(start_time) ctime(end_time)
| eval exit_status=mvindex(status,0) | eval exit_message=mvindex(other,0)
| table marker start_time end_time svc_context_name FromIdentity TPCode PONumber exit_status exit_message

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...