Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search for a sequence of events in a transaction

gundepalli
Explorer
‎01-10-2014 11:28 AM

I have a log file that I am grouping the events using transaction command based on session ID. Within each transaction i need to find two events (event A and event B)that occur in a sequence and the second event being the last event in the transaction. I need only transactions that have event A.
Here is what I have so far:

index=xyz | transaction sessionid endswith="event B" | search "event A" .

The above query pulls all transactions that surely have "event A" and ends with "event B". But how do i pull only events that have "event A" followed by "event B" , event B being the last event in the transaction.

Help appreciated.
Thanks in advance

Tags (2)
Reply

sowings
Splunk Employee
Splunk Employee
‎01-10-2014 11:49 AM

EDIT: We want to find the entire transaction, but filter down the set to only those in which event B was last. I'm going to assume that there's some field that differentiates event A from event B, and further, for the example below, I'm going to assume that the value of that field is either A or B (or something else as appropriate). Let's call this field event_id.

index=xyz | transaction mvlist=event_id sessionid | where mvindex(event_id, -1) == "B"

This says "build a transaction across the sessionid, treating the event_id field as a multi-value field", then "filter events where the last value of the event_id multi-value field is "B". Hopefully you've got fields within your events that enable such a search. If not, it gets a bit more complicated.

Reply

sowings
Splunk Employee
Splunk Employee
‎01-10-2014 12:00 PM

Oh, I see. When you dictate "endswith", you declare that the transaction ends with event B, so Splunk will say "oh, that transaction's done, next!", and it will always appear that event B was the last event. I'll edit my above post to reflect what you want.

0 Karma
Reply

gundepalli
Explorer
‎01-10-2014 11:55 AM

I would like to see all the events in the transaction that has event B as the last event and the one preceding it as event A. the above search wouldonly have transactions with event A and B which is not what i want.

0 Karma
Reply

gundepalli
Explorer
‎01-10-2014 11:40 AM

yes, Event B always follows event A. They are consecutive events. Event A and Event B are the only once i care about in the transaction and need to pull just those transactions.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎01-10-2014 11:37 AM

And are event A and event B the only events you care about in this transaction?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2014 11:36 AM

I'm confused. If the transaction contains Event A and ends with Event B then won't Event B always follow Event A? Do you mean no intervening events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...