How to edit a transaction search with multiple "en...

srinivasup · ‎05-19-2017

hi,

i have a search to get duration of the job, let's say startswith=started endswith=success
But in some case the job may fail, now it should be enddswith=FAILURE

now i want to write single search to get SUCCESS OR FAILURE JOB and their duration, starttime, endtime and status

Ex:

| transaction JOB startswith="EVENT: STARTJOB" endswith="STATUS: SUCCESS" -- this is only for success

| transaction JOB startswith="EVENT: STARTJOB" endswith="STATUS: SUCCESS or FAILURE" - ITS NOT WORKING

inventsekar · ‎05-21-2017

https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Transaction
endswith
Syntax:
endswith=
Description: A search or eval expression which, if satisfied by an event, marks the end of a transaction.

Updated one...Try this one -
| transaction JOB startswith="EVENT: STARTJOB" endswith="STATUS: SUCCESS" OR "STATUS: FAILURE"

cpetterborg · ‎05-19-2017

Can you just use STATUS:? If s, then just do:

| transaction JOB startswith="EVENT: STARTJOB" endswith="STATUS:"

It could be a problem if you have other lines with STATUS:, but only in that case.

somesoni2 · ‎05-19-2017

How about this?

| transaction JOB startswith="EVENT: STARTJOB" endswith="(STATUS: SUCCESS) OR (STATUS: FAILURE)"

How to edit a transaction search with multiple "endswith" option?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...