Reputation: 283
Splunk - General Queries
I have some general queries on Splunk, as no one on my team has deep technical knowledge & I've never used it before, appreciate anyone's help on this, thanks
I have the following Splunk query
(host = "A" OR host = "B" OR host = "C" OR host = "D" OR host = "E" OR host = "F" OR host = "G" OR host = "H")
AND source = "logs/BAU.log"
| transaction submission_id startswith="ABC Logic begins" endswith="ABC Logic ended"
| eval group = case(host IN ("A", "B", "C", "D"), "Primary",
host IN ("E", "F", "G", "H"), "Secondary")
| chart dc(submission_id) by group
If process ABC fails, the log "ABC Logic ended" will not be displayed, instead "ABC Logic failed" is logged.
In the following log example, will my query return a count of 2 or 3?
INFO [BkndDriver]--[submission_id=1] ABC Logic begins
...
INFO [BkndDriver]--[submission_id=1] ABC Logic failed
...
...
...
INFO [BkndDriver]--[submission_id=2] ABC Logic begins
...
INFO [BkndDriver]--[submission_id=2] ABC Logic ended
...
...
INFO [BkndDriver]--[submission_id=3] ABC Logic begins
...
INFO [BkndDriver]--[submission_id=3] ABC Logic ended
We are experiencing some inaccuracies with the total count of calls made to the ABC service, I am trying to troubleshoot what may be causing the mismatch in the total count.
Because I've structured my query to look for the specific strings "ABC Logic begins" & "ABC Logic ended", I'm not sure if I should change the query to use a different command?
Upvotes: 0
Views: 123
Answers (0)
Related Questions
- Splunk query for Forwarder Management
- Splunk - Use a general statement/regex in transaction endswith
- Splunk Event JSON to Table
- Splunk query - Total or Count by field
- Splunk Query - group events by fields in splunk
- Splunk - Create customized query for Splunk dashboard based on Input selection
- Combine Splunk Rex Queries
- Splunk Regex: Unable to extract data
- How to count results in Splunk and put them in a table?