Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search for a sequence of events in a transaction

gundepalli
Explorer
‎01-10-2014 11:28 AM

I have a log file that I am grouping the events using transaction command based on session ID. Within each transaction i need to find two events (event A and event B)that occur in a sequence and the second event being the last event in the transaction. I need only transactions that have event A.
Here is what I have so far:

index=xyz | transaction sessionid endswith="event B" | search "event A" .

The above query pulls all transactions that surely have "event A" and ends with "event B". But how do i pull only events that have "event A" followed by "event B" , event B being the last event in the transaction.

Help appreciated.
Thanks in advance

Tags (2)
Reply

sowings
Splunk Employee
Splunk Employee
‎01-10-2014 11:49 AM

EDIT: We want to find the entire transaction, but filter down the set to only those in which event B was last. I'm going to assume that there's some field that differentiates event A from event B, and further, for the example below, I'm going to assume that the value of that field is either A or B (or something else as appropriate). Let's call this field event_id.

index=xyz | transaction mvlist=event_id sessionid | where mvindex(event_id, -1) == "B"

This says "build a transaction across the sessionid, treating the event_id field as a multi-value field", then "filter events where the last value of the event_id multi-value field is "B". Hopefully you've got fields within your events that enable such a search. If not, it gets a bit more complicated.

Reply

sowings
Splunk Employee
Splunk Employee
‎01-10-2014 12:00 PM

Oh, I see. When you dictate "endswith", you declare that the transaction ends with event B, so Splunk will say "oh, that transaction's done, next!", and it will always appear that event B was the last event. I'll edit my above post to reflect what you want.

0 Karma
Reply

gundepalli
Explorer
‎01-10-2014 11:55 AM

I would like to see all the events in the transaction that has event B as the last event and the one preceding it as event A. the above search wouldonly have transactions with event A and B which is not what i want.

0 Karma
Reply

gundepalli
Explorer
‎01-10-2014 11:40 AM

yes, Event B always follows event A. They are consecutive events. Event A and Event B are the only once i care about in the transaction and need to pull just those transactions.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎01-10-2014 11:37 AM

And are event A and event B the only events you care about in this transaction?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2014 11:36 AM

I'm confused. If the transaction contains Event A and ends with Event B then won't Event B always follow Event A? Do you mean no intervening events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...