- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to only return events that have no ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunk community,
I'm currently trying to correlate different event sources and events with each other.
My search gives me the following results:
Event A
Event B
Event A
Event B
Event B <---
Event A
Event B
Event A
Event B
etc.
You can see that there is one Event B that has no Event A in front of it.
Can I somehow tell Splunk to only show events where the Event is only B and no A before or only A and no B afterwards?
I know about transaction, but I don't know how to only show results that do not match a transaction condition.
Any suggestions to solve this without transactions?
Thank you in advance!
Regards,
pyro_wood
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have used transaction command and grouping appears right, you can use the keepevicted & closed_txn options to show events that are not grouped. So your command will look something like this
.... | transaction <unique_field> startswith=abc endswith=xyz keepevicted=t | table _raw closed_txn | where closed_txn=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without transaction it could look like this by using the streamstats command:
| streamstats last(event) AS previous_event current=f window=1
| search event="B" AND previous_event!="A"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can include filter for event=A as well here. Like
....
| search (event="B" AND previous_event!="A") OR (event="A" AND previous_event!="B")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your suggestions!
I'll try them aswell!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have used transaction command and grouping appears right, you can use the keepevicted & closed_txn options to show events that are not grouped. So your command will look something like this
.... | transaction <unique_field> startswith=abc endswith=xyz keepevicted=t | table _raw closed_txn | where closed_txn=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
keepevicted=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow! :)))))))
Keepevicted is such a useful parameter. I almost gave up, not finding any solution.
Thank you, you literally made my day! 🙂
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
