The intent here is to use the Splunk
transaction startswith
in conjunction with a query that specifies a pair of fields and a free form search string. What is the correct structuring/ordering of the query?
To start with: the following query returns a few records:
index=dev sourcetype="alstest-tuning--1-0-50--*" Error
Now we want to view some records following each of the results. Here are a couple of attempts:
transaction startswith("index=dev sourcetype=\"alstest-tuning--1-0-50--*\" Error") maxevents=20
and
index=dev sourcetype="alstest-tuning--1-0-50--*" transaction startswith("Error") maxevents=20
Neither of those approaches returns anything. The first one also surfaces a related question: how to escape the quotes for the fields. Pointers appreciated.
The way of using transaction is different. Let me brief on Splunk transaction command:
A transaction is any group of related events that span time
Events can come from multiple applications or hosts
Events related to single purchase from an online store can span across an application server, database, and e-commerce engine
One email message can create multiple events as it travels through various queues
Each event in the network traffic logs represents a single user generating a single http request
Visiting a single website normally generates multiple http requests
Syntax of transaction command
transaction [field-list] [name=transaction-name] [transaction_definition-opt]*
The events are grouped into transactions based on the values of this field list
If a quoted list of fields is specified, events are grouped together if they have the same value for each of the fields
Common constraints maxspan | maxpause | maxevetns | startswith | endswith
How to use transaction command:
combine all the events by SESSIONID
index=index_name sourcetype=some-source-type | transaction SESSIONID
With the transaction command, we can also use tables to easily view the information that we want: index=* | transaction SESSIONID | table SESSIONID, action, product_name
transaction command: startswith / endswith : To form transactions based on terms, field values or evaluations, use startswith & endswith options
Example: the first event in the transaction includes addtocart & the last event includes purchase
index=* sourcetype=access* | transaction clientip \
startswith=action="addtocart" endswith=action="purchase"
In your case, you need to use the last shown example.
NOTE: Use transaction when you need to see events correlated together and also must define event grouping based on start / end values.
Related
First Event
06:09:17:362 INFO com.x.y.ConnApp - Making a GET Request
Second Event
06:09:17:480 INFO com.a.b.Response - Output Status Code: 200
Now I want to calculate duration of these two events for every request. I went over the solutions on splunk and Stack Overflow, but still can't get the proper result.
The easy answer is the transaction command, although it has a couple of drawbacks. The first is the command can be a resource hog. The other is can be "greedy" in that multiple requests might be taken to be a single transaction. We'll take care of the second issue with the maxevents option. There's not much we can do about the first except avoid using transaction.
index=foo ("Making a GET Request" OR "Output Status Code:")
| transaction maxevents=2 startswith="Making a GET Request" endswith="Output Status Code:"
| table duration
Another option uses the streamstats command to calculate the difference between adjacent events. This should perform better than transaction.
index=foo ("Making a GET Request" OR "Output Status Code:")
| streamstats window=2 range(_time) as duration
``` Erase the duration field for start events. ```
| eval duration = if(searchmatch("Making a GET Request"),"", duration)
| table _raw duration
Both queries assume the start and end events for different requests are not intermingled.
With the current logging messages, it will be tricky to group logs who are linked by the same source (imagine multiple calls who generate successive Making a GET messages)
In this case, I suggest to spread a ‘correlation Id’ in the logging message
Then you can identify exactly the messages who are triggered by the same source
This involve a change of the app logging function (you can search the following libs: log4/mcd/sleuth)
In Eloqua, can you send out an email to a contact list but version the "hero" image headline for each segment using dynamic content blocks?
And then can you do the reverse, have the main image remain the same, and dynamically populate products below that they've purchased in the past?
For scenario 1, yes that is possible out of the box.
Scenario 2 however is a bit more complicated and would generally require a 3rd party tool to provide this type of dynamic code generation based upon a lookup table (in this case a line item inventory or purchases). Because a contact could have zero or more products (commonly as individual records in a CDO), you would generally need to aggregate or count the number of related records, and then generate your HTML table and formatting around those record values, and be contextually aware if it is the first or last record (to begin and close the table). Dynamic content does not have mathematical functions and would not be able to count those related records - this is something usually provided by a B2C system like SFMC using ampscript or dynamically generated through custom code and sent through a transactional SMTP service. You could have multiple dynamic content on top of each other, but your biggest limitation becomes the field merge, with only lets you select a record based upon earliest/last creation date, or last modified. This is not suitable if you have more than 2 records. A third party service that provides a cloud content module for your email is your best bet.
From Splunk, I am trying to get the user, saved search name and last time a query ran ?
A single Splunk query will be nice.
I am very new to Splunk and I have tried these queries :-
index=_audit action=search info=granted search=*
| search IsNotNull(savedsearch_name) user!="splunk-system-user"
| table user savedserach_name user search _time
The above query , is always empty for savesearch_name.
Splunk's audit log leaves a bit to be desired. For better results, search the internal index.
index=_internal savedsearch_name=* NOT user="splunk-system-user"
| table user savedsearch_name _time
You won't see the search query, however. For that, use REST.
| rest /services/saved/searches | fields title search
Combine them something like this (there may be other ways)
index=_internal savedsearch_name=* NOT user="splunk-system-user"
| fields user savedsearch_name _time
| join savedsearch_name [| rest /services/saved/searches
| fields title search | rename title as savedsearch_name]
| table user savedsearch_name search _time
Note that you have a typo in your query. "savedserach_name" should be "savedsearch_name".
But I also recommend a free app that has a dedicated search tool for this purpose.
https://splunkbase.splunk.com/app/6449/
Specifically the "user activity" view within that app.
Why it's a complex problem - part of the puzzle is in the audit log's info="granted" event, another part is in the audit log's info="completed" event, even more of it is over in the introspection index. You need those three stitched together, and the auditlog is plagued with parsing problems and autokv compounds the problem by extracting all of fields from the SPL itself.
That User Activity view will do all of this for you, sidestep pretty thorny autokv problems in the audit data, and not just give you all of this per search, but also present stats and rollups by user, app, dashboard, even by sourcetypes-that-were-actually-searched
it also has a macro called "calculate pain" that will score a "pain" number for each search, and then sum up all the "pain" in the by-user, by-app, by-sourcetype rollups etc. So that admins can try and pick off the worst offenders first.
it's up on SB here and approved for both Cloud and onprem - https://splunkbase.splunk.com/app/6449/
(and there's a #sideview_ui channel for it in the community slack.)
I'm facing a very strange issue in my Splunk search. I have a data input coming from a REST API that returns a multi-level (nested) JSON response:
The entity node has several nodes, each node represents one access point. Each access point contains a field called ipAddress.
This API is being called every 5 min and response stored in Splunk. When I do a search to get the list of IP Addresses from one event I don't get all of them. For some reason, is like Splunk is reading only the first seven nodes inside entity, because when I do:
source="rest://AccessPointDetailsAPI" | head 1
Splunk shows only the following values on the field (7 values although there are around 27):
I'm using demo license if that matters. Why I cannot see all values ? If I change my search to look for a specific iPAddress on the response but not on the list it won't return records.
Thanks and regards,
I think I understand the problem now. So the event is a big json and Splunk is not properly parsing all fields on the big json.
We need to tell splunk to parse the specific field we need with spath and specifying the field:
yoursearch | spath output=myIpAddress path=queryResponse.entity{}.accessPointDetailsDTO.ipAddress | table myIpAddress
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Spath
But I think also is important to analyze if maybe the data input needs to be divided in multiple events rather than a single huge event.
Paymill: Given a subscription, what is the curl command to list the transactions associated with that subscription?
Currently, you cannot list the transactions of a specific subscription, but you can list the transactions of a client by adding "?client=CLIENT_ID" to the "List transactions" endpoint. Like this:
curl https://api.paymill.de/v2/transactions?client=client_1b6b8b4003603f1f3cbd \
-u 319ffd1f1d10766e59350568170e8c70:
If you run this command, you'll get 2 transactions. If you remove the "client" query string part, you'll get 3 transactions.
Note that the description for all subscription transactions starts with "Subscription#" and contains the subscription ID in it (sub_ef984bab97c253a0a372). So, you can filter the ones matching one (or all) of these conditions.