Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Returning all events during the period of a transaction

dharalson
Engager
‎06-14-2012 07:14 AM

Brief Synopsis: I have a system that users log into and create a case, which moves around some data and does some processing of it. My goal is to have Splunk generate a report after each Case that will be sent to the user. Eventually I will trim down to only sending all the error entries in the report, but right now I would just like the report to be a listing of all the log entries in the index (there are several log files from different sub-systems feeding the index) that took place while the Case was running.

I have a search that is accurately creating transactions for each case:

index=EDS | transaction caseName maxspan=-1 maxpause=-1

That returns the following when run manually (when set as an alert it correctly triggers a separate email at the completion of each Case):

**6/12/12
1:02:10.000 PM

[06/12/2012 13:02:10 MainForm INFO ] - Case: TESTCASE02 Started at 1:02:10 PM with MAX_THREADS = 2
[06/12/2012 14:44:52 MainForm INFO ] - Case: TESTCASE02 Resolved at 2:44:52 PM

* source=D:\EDS\Logs\EDS.Client.log  * caseName=Case: TESTCASE02

**6/12/12
11:59:17.000 AM

[06/12/2012 11:59:17 MainForm INFO ] - Case: TESTCASE01 Started at 11:59:17 AM with MAX_THREADS = 2
[06/12/2012 13:01:31 MainForm INFO ] - Case: TESTCASE01 Resolved at 1:01:31 PM

* source=D:\EDS\Logs\EDS.Client.log  * caseName=Case: TESTCASE01

I've tried all kinds of different ways to get all the entries between to show, but have been unsuccessful. I have also created 2 eventtypes: caseStart and caseFinish, that accurately pull out those same 2 entries. I thought that maybe I could use those as boundaries for a secondary search, but haven't been successful. Can anyone point me in the correct direction that I should be going to accomplish this task? Any help would be great, thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lamar
Splunk Employee
Splunk Employee
‎06-14-2012 11:10 AM

Try using:

index=EDS | transaction startswith=Started endswith=Resolved

The problem with this is that Splunk is going to 'guess' what goes with this particular transaction. You may not get all of the information that you really care about.

View solution in original post

Reply
Solved! Jump to solution
Solution

Lamar
Splunk Employee
Splunk Employee
‎06-14-2012 11:10 AM

Try using:

index=EDS | transaction startswith=Started endswith=Resolved

The problem with this is that Splunk is going to 'guess' what goes with this particular transaction. You may not get all of the information that you really care about.

Reply
Solved! Jump to solution

dharalson
Engager
‎06-15-2012 06:29 AM

Thanks, that got me in the direction I needed to go. As you said, just using "Started" and "Resolved" didn't work because it then picked up sub-processes going on inside the overall case, as separate transactions. I was able to take the queries I had used to define the caseStart and caseFinish eventtypes and substitute them in the arguments instead. That seemed to work. Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...