How to edit my search to only display policy numbe...

athorat · ‎08-05-2016

index="np_dpa" PROXYNAME="ProcessUBIDeviceFulfillmentCommunication" Application="Datapower" TransactionStatus="FAIL" TransactionDesc="VOUCHER_INVALID" | table PolicyNumber,DeviceFulfillResp, DeviceFulfillErrorVins, CorrelationId, _time | fields - _raw | sort _time

I have this serach which displays the policy number details and its related fields. This is for all the failed transactions (TransactionStatus="FAIL").

As soon as the policy is reprocessed, its transaction status will change to success. I want the panel to exclude those policy numbers where the transaction status is changed.

Using | stats latest(TransactionStatus) by CorrelationId does not display data ...

martin_mueller · ‎08-05-2016

Something like this?

  index="np_dpa" PROXYNAME="ProcessUBIDeviceFulfillmentCommunication" Application="Datapower" (TransactionStatus="FAIL" OR TransactionStatus="SUCCESS") TransactionDesc="VOUCHER_INVALID"
| stats max(_time) as _time values(PolicyNumber) as PolicyNumber values(DeviceFulfillResp) as DeviceFulfillResp values(DeviceFulfillErrorVins) as DeviceFulfillErrorVins values(TransactionStatus) as TransactionStatus by CorrelationId
| search NOT TransactionStatus="SUCCESS"
| sort _time

That'll load both successes and failures, bunch up all events for an ID, and discard those that have a success.

How to edit my search to only display policy numbers with a failed transaction status?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!