Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are my two search queries not working with the transaction command?

sjanwity
Communicator
‎10-22-2014 08:05 AM

I have a splunk query which takes data out of a database and tries to perform transaction on it. I've discovered something very odd about this.

If I were to run this command:

| dbquery "DB" "select * from gdh" | eval _time=UPDATE_TIME | transaction TYPE_NAME FIELD_NAME OBJECT_KEY keeporphans=true maxspan=1s maxpause=1s maxevents=2 | sort TYPE_NAME OBJECT_KEY FIELD_NAME

I should get the same result as running these 2 queries:

| dbquery "DB" "select * from gdh" | eval _time=UPDATE_TIME | collect index=summary

then do: 

index=summary | transaction TYPE_NAME FIELD_NAME OBJECT_KEY keeporphans=true maxspan=1s maxpause=1s maxevents=2 | table [the result set]  | sort TYPE_NAME OBJECT_KEY FIELD_NAME

I should get the same results, yes? The former query is simply an appendation of the latter 2 without the use of an index. They both do eval _time=UPDATE_TIME. So shouldn't they be exactly the same?

For some reason they aren't. The former query gives me a table where the transaction command falls apart - sometimes it would be grouping up rows correctly, sometimes it wasn't - and leading me on a week long goose chase on why transaction isn't working as it should, but other commands like stat gave the expected result.

Does anyone know why?

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-23-2014 02:33 PM

That should increase your chances, yeah.

0 Karma
Reply

sjanwity
Communicator
‎10-28-2014 09:37 AM

but it still doesn't work 100%. The problem here I think is that Splunk doesn't recognize the timestamp field even if you explicitly set it so using eval. Maybe this should be a bug report?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-22-2014 01:47 PM

Does your dbquery return events in the proper descending time order? That's where I suspect a difference, shoving it all in a summary index and then searching on that will implicitly order the events by time.

0 Karma
Reply

sjanwity
Communicator
‎10-23-2014 01:50 AM

so if I sort my dbquery by UPDATE_TIME before transacting it I should get the expected input?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...