- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to search for transactions associated with...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to send automated reports to a partner with logs and MSISDN that failed due to timeout. Logs are divided by steps, so if I look for telephone number:
<wstxns1:addresses>tel:573162xxxx</wstxns1:addresse>
I can get them easily, but I don't know if they're failing because the error is showed a step/field after. If I search for the error, it's easy too, but I can't see the phone number associated because it's a step/field before
msg=Exception timeout launched when sending a SMS MT to SMS ParlayX Enabler: The timeout period of 30000ms has been exceeded
The only field in common between those fields is a correlatorID
corr=22cb1367-d04a-47e1-994f-d5df70d98001
If I search with it on my sourcetype, I can get all steps, but I get only that, and I need all of them that are failing... Any idea? 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seems like something for the transaction command
base search
| transaction correlatorID
| .....
also see: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seems like something for the transaction command
base search
| transaction correlatorID
| .....
also see: http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found it! 🙂
Thanks man!
http://answers.splunk.com/answers/138588/joining-multiple-events-via-a-common-field.html
http://docs.splunk.com/Documentation/Splunk/6.1.7/Search/Abouttransactions
index=pconnectindex sourcetype=parlayx | transaction corr | search lvl=ERROR
basically, the "transaction" command groups multiple events into a single meta-event that represents a single physical event. In my case, sending an SMS have generated several events, with the "corr" field in common. To see the failed ones, I just have to "search" for the level "ERROR".
Piece of cake!
thankyou so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
glad I could help
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
