Splunk Search

How to search for transactions associated with another field?

mikylace
Explorer

I have to send automated reports to a partner with logs and MSISDN that failed due to timeout. Logs are divided by steps, so if I look for telephone number:

<wstxns1:addresses>tel:573162xxxx</wstxns1:addresse>

I can get them easily, but I don't know if they're failing because the error is showed a step/field after. If I search for the error, it's easy too, but I can't see the phone number associated because it's a step/field before

msg=Exception timeout launched when sending a SMS MT to SMS ParlayX Enabler: The timeout period of 30000ms has been exceeded

The only field in common between those fields is a correlatorID

corr=22cb1367-d04a-47e1-994f-d5df70d98001

If I search with it on my sourcetype, I can get all steps, but I get only that, and I need all of them that are failing... Any idea? 🙂

Tags (3)
0 Karma
1 Solution

aholzel
Communicator

seems like something for the transaction command

base search
| transaction correlatorID
| .....

also see: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Transaction

View solution in original post

aholzel
Communicator

seems like something for the transaction command

base search
| transaction correlatorID
| .....

also see: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Transaction

mikylace
Explorer

I found it! 🙂
Thanks man!

http://answers.splunk.com/answers/138588/joining-multiple-events-via-a-common-field.html
http://docs.splunk.com/Documentation/Splunk/6.1.7/Search/Abouttransactions

index=pconnectindex sourcetype=parlayx | transaction corr | search lvl=ERROR

basically, the "transaction" command groups multiple events into a single meta-event that represents a single physical event. In my case, sending an SMS have generated several events, with the "corr" field in common. To see the failed ones, I just have to "search" for the level "ERROR".

Piece of cake!
thankyou so much!

0 Karma

aholzel
Communicator

glad I could help

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...