Community:Search Alert: How to use transaction to identify a transaction which find a "start" event but not "end" event

From Splunk Wiki

Jump to: navigation, search
----------
QUESTION
----------
I have the following sample event logs. 
I'm looking for events which started with  action=NotFinished but no action=Finished with 60 sec from the NotFinished event. 


#
# test-transaction.log
#
2/18/2012 10:05:20 user=user1 file=file1 virus=Bad1 action=Finished
2/18/2012 10:06:20 user=user1 file=file2 virus=Bad2 action=Finished
2/18/2012 10:06:20 user=user3 file=file3 virus=Bad3 action=Finished
2/18/2012 10:11:20 user=user1 file=file1 virus=Bad1 action=NotFinished  <== This is okay because there is "Finished" action within 60 sec
2/18/2012 10:11:20 user=user2 file=file2 virus=Bad1 action=NotFinished  <=== This event does not have "Finished" action within 60 sec.
2/18/2012 10:12:10 user=user1 file=file1 virus=Bad1 action=Finished
2/18/2012 10:16:20 user=user1 file=file2 virus=Bad2 action=Finished
2/18/2012 10:16:20 user=user2 file=file2 virus=Bad1 action=NotFinished
2/18/2012 10:16:20 user=user3 file=file3 virus=Bad3 action=Finished
2/18/2012 10:16:20 user=user4 file=file4 virus=Bad4 action=Finished
2/18/2012 10:16:40 user=user2 file=file2 virus=Bad1 action=Finished

-----------
A SOLUTION:
-----------

1. Index the sample log

$ ./splunk add oneshot test-transaction.log -host testTrans01 -auth admin:changeme


2. Create a search query
  - Create a uniq key if there is no such thing in an event. (eval F=user + ":" + file + ":" + virus)
  - transaction
       keeporphans=1  ; Keep even there is no close event
       unifyends  =t  ; Startswith and endswith for the same field value
       maxspan    =1m ; Windows for startswith and endswith events is 1 minute

$ splunk search
     'host=testTrans01
        | eval F=user + ":" + file + ":" + virus
        | transaction F keeporphans=1 unifyends=t startswith=NotFinished
                                                  endswith=Finished maxspan=1m
        | eval Closed=closed_txn
        | eval Orphan=_txn_orphan
        | fillnull Orphan
        | eval Raw=_raw
        | table _time action F Orphan Closed'
  -auth admin:changeme

           _time              action           F         Orphan Closed
--------------------------- ----------- ---------------- ------ ------
2012-02-18 10:16:20.000 PST Finished    user2:file2:Bad1      0      1
                            NotFinished
2012-02-18 10:16:20.000 PST Finished    user1:file2:Bad2      0      1
2012-02-18 10:16:20.000 PST Finished    user3:file3:Bad3      0      1
2012-02-18 10:16:20.000 PST Finished    user4:file4:Bad4      0      1
2012-02-18 10:11:20.000 PST NotFinished user2:file2:Bad1      1
2012-02-18 10:11:20.000 PST Finished    user1:file1:Bad1      0      1
                            NotFinished

==> So, you can see we're looking for event with Orphan=1 


$ splunk search
  'host=testTrans01
   | eval F=user + ":" + file + ":" + virus
   | transaction F keeporphans=1 unifyends=t startswith=NotFinished
                                             endswith=Finished maxspan=1m
   | eval Closed=closed_txn
   | eval Orphan=_txn_orphan
   | fillnull Orphan
   | eval Raw=_raw
   | table _time action F Orphan Closed'
   | where Orphan=1'
  -auth admin:changeme11


           _time              action           F         Orphan Closed
--------------------------- ----------- ---------------- ------ ------
2012-02-18 10:11:20.000 PST NotFinished user2:file2:Bad1      1

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk