Tracking of particular field

N92 · ‎03-19-2018

I have two fields from them I want to track particular one field with starting of this & ending of that value. For that, I have written as shown below. Is any correction needed?

| transaction abc xyz startswith=(xyz="something") endswith=(cs_uri_stem="anything") maxspan=1s

Here currently I have added maxspan=1s but I want to check immediate next event with anything value which may occur before 1s.
I want to focus on only immediate next event from abc.

Another question is: Here I am tracking only one value. But how can I track field value in both the field. share any eg.

tiagofbmm · ‎03-19-2018

Have you checked the

maxevents
Syntax: maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled.
Default: 1000

That with value 2 will get you the immediate next event with abc value.

N92 · ‎03-19-2018

| transaction abc xyz startswith=(xyz="something") endswith=(xyz="anything") maxevents=2

If I am adding maxevents then it will match xyz's starting & ending value also?

After matching xyz value it will go further & check maxevents for abc field?

tiagofbmm · ‎03-21-2018

Yes.

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

Tracking of particular field

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor