- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have created a search to get the order of specified Events from hosts.
index=*SC "SPK CONLOC SERVER RECEIVED R" | transaction host
10.12.2015 12:02:29 SPK CONLOC SERVER RECEIVED R B:B002: 16: 5: 5137: 2926:2:40:9:P:
10.12.2015 12:11:16 SPK CONLOC SERVER RECEIVED R B:ROAD: 1: 1: 6618: 566:1:40:9:D:
10.12.2015 12:19:22 SPK CONLOC SERVER RECEIVED R B:B002: 16: 3: 5137: 2799:2:40:9:P:
10.12.2015 12:25:13 SPK CONLOC SERVER RECEIVED R B: 6587: 410:1:40:2:D:
10.12.2015 12:31:17 SPK CONLOC SERVER RECEIVED R B:A002: 13:15: 5016: 1967:1:40:9:P:
10.12.2015 12:38:11 SPK CONLOC SERVER RECEIVED R B: 6175: 166:1:40:9:D:
10.12.2015 12:43:59 SPK CONLOC SERVER RECEIVED R B:B002: 20: 9: 5298: 3183:1:40:9:P:
10.12.2015 13:16:20 SPK CONLOC SERVER RECEIVED R B: 6130: 445:1:40:9:D:
Normally, the order is the P D P D P D P D. When this happens, everything is ok. We are searching for the sequence when it looks like P P D P D P or P D D P D P .
Best regards,
Axel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
...| rex ":(?<irr>[A-Z]):$" | streamstats current=f window=1 first(irr) as pirr | table _raw irr pirr | where irr=pirr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
...| rex ":(?<irr>[A-Z]):$" | streamstats current=f window=1 first(irr) as pirr | table _raw irr pirr | where irr=pirr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks about your answer, in combination with transaction the streamstats functions will not work. I add at the streamstats command by host and Splunk made a Filter on Host.I have retype the search and get all I need.
index=*SC "SPK CONLOC SERVER RECEIVED R" | sort host | rex ":(?
Best regards
Axel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this answers your question, please mark it as answered so it can be closed. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it correct with Accepted Answer? It is my first question.
