We have several problems that we weren't able to resolve with Splunk's SPL. Problems are listed below. Any suggestions is greatly appreciated.
Let's say we have several event types: A, B, C, D, E.
Each event posted is in a _time ordered sequence which we need to maintain.
PROBLEM 1:
And we want transactions that begin with A and end with D.
We can't do the simple transaction below:
... | transaction startswith="A" endswith="D"
because it gives us wrong data, with A sometimes missed inside the Splunk recursive search:
For example, if the event sequence was (AB)[AB](CD), Splunk returns the transaction ABCD from the outer sequence (AB)(CD), and not the inner sequence [AB](CD) which should be the correct transaction. To be correct, the first (AB) is a discarded transaction.
**********************************
SO we decide to find transactions that ALWAYS start with A. For instance:
... | transaction startswith="A"
This will give us sample events like:
A
ABCB
AB
ABCE
ABCDCBCBCE
ABCDCDE
ABCDE
ABCDCDCBCDE
ABCBCE
ABCDCDCDE
Now I want to find transactions that start with A, and end in D, but since A is the marker for the beginning of a transaction, we do not want an A grouped into a wrong transaction like above (A starts a new transaction), so we do this:
... | transaction startswith="A" | transaction startswith="A" endswith="D"
This should only give us a subset of the above, that contain D, but not necessarity endswith D:
ABCDCDE
ABCDE
ABCDCDCBCDE
ABCDCDCDE
PROBLEM 2:
We would rather have the transactions trimmed at D as follows, but Splunk is not doing this. It leaves whatever is there created from the superset. Maybe piping a transaction to another transaction might not be the solution either?:
ABCDCD
ABCD
ABCDCDCBCD
ABCDCDCD
**********************************
NOW, lets say we want to have a transaction that startswith A, followed by 1 or more Bs, and ending in E. There could be 0 to many Cs and Ds in the mix but as long as A*B*E is satisfied it should return all the transactions that satisfy this requirement. In this example we are using only 5 event types, but we could have dozens of event types. And thus it could be possible that we are looking for a sequence such as A*B*G*M*V*Z.
The subset of the above PROBLEM 1 example should return for A*B*E:
ABCE
ABCDCBCBCE
ABCDCDE
ABCDE
ABCDCDCBCDE
ABCBCE
ABCDCDCDE
PROBLEM 3:
We need to specify sequence order for specific events with many unknown events that can be intermixed as long as the sequence is satisfied. Example A*B*G*M*V*Z. Is there anyway to do this?
It should return something like this as a transaction:
ABCBCDGJKMSRSVYZ
Thanks in advance.
↧
How to search for transactions with an ordered sequence, BUT with non-specific events in the middle?
↧