Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you create a transaction with multiple startswith and endswith string pairs?

lyonsjm21
Engager
‎07-12-2017 09:11 AM

We have data from multiple sources and are capturing the first ten digits of a alphanumeric string as observed in the regex in the below search string.

We are trying to capture transaction timings of when a message is created to when it's completed. Each message type will have different logging from the other, hence the various startswith strings listed below:

index=index sourcetype=logs
| rex "^(?:[^:\n]*:){4}(?P\w+)"
| transaction ObjectID startswith="starting pointone" OR "starting pointtwo" OR "starting pointthree" OR "starting pointfour"
endswith="ending pointone" OR "ending pointtwo"
| table _time ObjectID source host duration

Does anyone know of a way to handle multiple string pairs for both startswith and endswith?

Also, we are using 6.5.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-12-2017 09:57 AM

This is a great demonstration case for the general rule - NEVER use transaction when something else will do. In this case, stats gets you your answer better, faster, easier.

 your search that extracts the records you want for a start or end of a "transaction", with _time ObjectID source and host without worrying which of those records it might be, just any records that are one or the other
| stats min(_time) as StartTime max(_time) as EndTime by ObjectID source host
| eval duration = EndTime-StartTime

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-12-2017 09:57 AM

This is a great demonstration case for the general rule - NEVER use transaction when something else will do. In this case, stats gets you your answer better, faster, easier.

 your search that extracts the records you want for a start or end of a "transaction", with _time ObjectID source and host without worrying which of those records it might be, just any records that are one or the other
| stats min(_time) as StartTime max(_time) as EndTime by ObjectID source host
| eval duration = EndTime-StartTime
Reply
Solved! Jump to solution

lyonsjm21
Engager
‎07-13-2017 03:13 AM

Thanks DalJeanis. That worked a treat.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-12-2017 09:52 AM

make sure to mark your code as code so that the interface doesn't eat anything in angle brackets.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...