9/12/2023 0 Comments Splunk transaction same event![]() ![]() PS: Final search with EventCount and DoorStatus can be used to identify various scenarios like Door Opened but Not Closed etc. | table transID EventCount DoorStatus duration tempChange | search EventCount>1 AND DoorStatus="Closed" AND DoorStatus="Open" | eval StartTime=strftime(StartTime,"%c") | eval duration=tostring(EndTime-StartTime,"duration") | stats count as EventCount first(_time) as StartTime first(Temperature) as StartTemp last(_time) as EndTime last(Temperature) as EndTemp values(Door) as DoorStatus by transID | table Count _time Door Temperature transID | eval transID=case(Door="Open" AND Count=1,transID,Door="Closed" AND Count>1,transID-(Count-1),Door="Open" AND Count>1,transID-(Count-1),Door="Closed" AND Count=1,transID,1=1,transID) | streamstats count as Count reset_after="("Door=\"Closed\"")" PS: You can change the case conditions here based on other scenarios/changes as per your requirements. Increment the Transaction ID to be used for current transaction.Ģ) If the Door is Open and the Count >1, then the door is still open and has not been closed, then keep the same Transaction ID as the first Open status.ģ) If the Door is Closed and Count > 1, then keep transaction ID same as first Open status.Ĥ) If the Door is Closed and Count =1, then use the incremented Transaction ID as the is only event in the Transaction.ĥ) Default use the incremented Transaction ID. Based on the types of transaction scenarios provided, following are some of the cases to change the cumulative count to generate transaction IDs.ġ) If the Door is Open and the Count = 1, then it is first event of the transaction. SPL **accum command is used to generate cumulative Count. Give following query a try, query is resetting Count using streamstats after every event where Door is Closed. Because of which, there are multiple Open and Closed events together. It does not seem to be based only on actual Door Open or Closed events. ![]() So what you think as the 'next' event may not be what splunk considers to be the 'next' event. Having said this, keep in mind the sort order in splunk may not be the same as what you are thinking. Seems like your current logs are being generated at periodic intervals and logs the Door status at that time. index transaction startswith'banana' maxevents2. ![]() Code example would be great.įor transaction command to work, you would need to add transaction IDs to your events, this way there will be one time effort for logging however, query performance will be better (even stats can be used instead of transaction based on transaction ID). Does not work as expected.įor all transactions I plan to get: duration and difference between temperatures at the beginning and the end of each transaction.Īt least ideas which directions to get would be appreciate. How can I achieve that? I tried transaction command with startswith and endswith but it fails. I am just starting with Splunk, still do not have much practical experience. I need to aggregate sequences of all consecutive events with a field Door=''Open" delimited with sequence of events with a field Door="Closed" into multiple transactions. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |