Splunk Search

Returning all events during the period of a transaction

dharalson
Engager

Brief Synopsis: I have a system that users log into and create a case, which moves around some data and does some processing of it. My goal is to have Splunk generate a report after each Case that will be sent to the user. Eventually I will trim down to only sending all the error entries in the report, but right now I would just like the report to be a listing of all the log entries in the index (there are several log files from different sub-systems feeding the index) that took place while the Case was running.

I have a search that is accurately creating transactions for each case:

index=EDS | transaction caseName maxspan=-1 maxpause=-1

That returns the following when run manually (when set as an alert it correctly triggers a separate email at the completion of each Case):


**6/12/12
1:02:10.000 PM

[06/12/2012 13:02:10 MainForm INFO ] - Case: TESTCASE02 Started at 1:02:10 PM with MAX_THREADS = 2
[06/12/2012 14:44:52 MainForm INFO ] - Case: TESTCASE02 Resolved at 2:44:52 PM

* source=D:\EDS\Logs\EDS.Client.log  * caseName=Case: TESTCASE02 

**6/12/12
11:59:17.000 AM

[06/12/2012 11:59:17 MainForm INFO ] - Case: TESTCASE01 Started at 11:59:17 AM with MAX_THREADS = 2
[06/12/2012 13:01:31 MainForm INFO ] - Case: TESTCASE01 Resolved at 1:01:31 PM

* source=D:\EDS\Logs\EDS.Client.log  * caseName=Case: TESTCASE01

I've tried all kinds of different ways to get all the entries between to show, but have been unsuccessful. I have also created 2 eventtypes: caseStart and caseFinish, that accurately pull out those same 2 entries. I thought that maybe I could use those as boundaries for a secondary search, but haven't been successful. Can anyone point me in the correct direction that I should be going to accomplish this task? Any help would be great, thanks!

Tags (2)
0 Karma
1 Solution

Lamar
Splunk Employee
Splunk Employee

Try using:

index=EDS | transaction startswith=Started endswith=Resolved

The problem with this is that Splunk is going to 'guess' what goes with this particular transaction. You may not get all of the information that you really care about.

View solution in original post

Lamar
Splunk Employee
Splunk Employee

Try using:

index=EDS | transaction startswith=Started endswith=Resolved

The problem with this is that Splunk is going to 'guess' what goes with this particular transaction. You may not get all of the information that you really care about.

dharalson
Engager

Thanks, that got me in the direction I needed to go. As you said, just using "Started" and "Resolved" didn't work because it then picked up sub-processes going on inside the overall case, as separate transactions. I was able to take the queries I had used to define the caseStart and caseFinish eventtypes and substitute them in the arguments instead. That seemed to work. Thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...