- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create transaction based on multiple extrac...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create transactions out of following log data
2014-07-22 09:42:04.189 linguini.qualcomm.com: <send2mom version="4.0.7"><alert destination="ALL"><severity>critical</severity><kpiname>lanIf Bandwidth Utilization In</kpiname><target>EXT</target><targetparent>qc-markham1-gigabitethernet0/0/0-1</targetparent><errorcode /><date>1406046310</date><eventsourcehost>linguini</eventsourcehost><eventsource>CONCORD</eventsource><message>qc-markham1-gigabitethernet0/0/0-1 EXT -- Bandwidth in over 90% -- qc-markham1 GigabitEthernet0/0/0-1-EXT</message><notifygroup>NETRS</notifygroup></alert></send2mom>
2014-07-22 08:58:07.506 linguini.qualcomm.com: <send2mom version="4.0.7"><alert destination="ALL"><severity>normal</severity><kpiname>lanIf Bandwidth Utilization In</kpiname><target>EXT</target><targetparent>qc-markham1-gigabitethernet0/0/0-1</targetparent><errorcode /><date>1406040715</date><eventsourcehost>linguini</eventsourcehost><eventsource>CONCORD</eventsource><message>qc-markham1-gigabitethernet0/0/0-1 EXT -- Bandwidth in over 90% -- qc-markham1 GigabitEthernet0/0/0-1-EXT</message><notifygroup>NETRS</notifygroup></alert></send2mom>
2014-07-22 08:54:22.714 skinner.qualcomm.com: <send2mom version="4.0.7"><alert destination="ALL"><severity>critical</severity><kpiname>lanIf Bandwidth Utilization</kpiname><target>Vlan402</target><targetparent>san-transit-e</targetparent><errorcode /><date>1406042837</date><eventsourcehost>skinner</eventsourcehost><eventsource>CONCORD</eventsource><message>BW over 80% -- san-transit-e Vlan402</message><notifygroup>NETRS</notifygroup></alert></send2mom>
Following is my base search
index= public60 source="/local/mnt/send2mom_server/logs/receiver.log" NETRS eventtype=alarm_notify | rex field=_raw "severity>(?<severity>.*)</severity.*kpiname>(?<kpi>.*) Bandwidth.*</kpiname.*target>(?<interface>.*)</target.*targetparent>(?<device>.*)</target.*Bandwidth in over (?<bandwidth>.*%) --"| search kpi = wanIf OR lanIf | eval device_interface = device." - ".interface*
What I am trying to do is create a transaction based on three extracted fields device-interface, bandwidth and severity. A transaction starts with either critical or major severity and ends with normal .
I am able to device endswith and startswith but if I introduce fields=device_interface bandwidth option splunk error out with *
Error in 'transaction': The fields option is invalid when a list of fields is provided in the argument list.
Is there a way to use a list of fields to indicate transaction and use a different field to indicate start and end of transaction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try it without using the "fields" keyword. Instead, just list the fields you want to use immediately after the transaction command. Something like this:
index= public60 source="/local/mnt/send2mom_server/logs/receiver.log" NETRS eventtype=alarm_notify
| rex field=_raw "severity>(?<severity>.*)</severity.*kpiname>(?<kpi>.*) Bandwidth.*</kpiname.*target>(?<interface>.*)</target.*targetparent>(?<device>.*)</target.*Bandwidth in over (?<bandwidth>.*%) --"
| search kpi = wanIf OR lanIf
| eval device_interface = device." - ".interface*
| transaction device_interface bandwidth option startswith="severity=critical OR severity=major" endswith="severity=normal"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try it without using the "fields" keyword. Instead, just list the fields you want to use immediately after the transaction command. Something like this:
index= public60 source="/local/mnt/send2mom_server/logs/receiver.log" NETRS eventtype=alarm_notify
| rex field=_raw "severity>(?<severity>.*)</severity.*kpiname>(?<kpi>.*) Bandwidth.*</kpiname.*target>(?<interface>.*)</target.*targetparent>(?<device>.*)</target.*Bandwidth in over (?<bandwidth>.*%) --"
| search kpi = wanIf OR lanIf
| eval device_interface = device." - ".interface*
| transaction device_interface bandwidth option startswith="severity=critical OR severity=major" endswith="severity=normal"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you this is exactly what I was missing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post your full search?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
