Solved: Why does increasing the value of maxopentxn reduce...

gesman · ‎04-25-2015

I run transaction command in the following manner:
... | transaction tlsid maxpause=15m maxevents=-1 keepevicted=1 mvlist=pages ...
It returns 14,776 events (transactions)

My limits.conf contains these settings:

[transactions]
maxopentxn    = 5000
maxopenevents = 100000

When I ran the same search, but with larger * maxopentxn *:
...| transaction tlsid maxpause=15m maxevents=-1 keepevicted=1 maxopentxn=1000000 mvlist=pages ...
- it returns 14,390 events

Why does increasing the limits reduce the number of transactions returned?
I expect same or bigger number, not smaller - my computer resources seems to be sufficient.

martin_mueller · ‎04-25-2015

If you have a low number of open transactions, some will get closed when you hit that limit and new ones may get opened later in the search for the same tlsid. When you have a higher number of open transactions, these "split up" tlsid values will end up in one big combined transaction, giving you a lower overall number of transactions.

View solution in original post

martin_mueller · ‎04-25-2015

If you have a low number of open transactions, some will get closed when you hit that limit and new ones may get opened later in the search for the same tlsid. When you have a higher number of open transactions, these "split up" tlsid values will end up in one big combined transaction, giving you a lower overall number of transactions.

gesman · ‎04-25-2015

Great, thanks.

Gleb

Why does increasing the value of maxopentxn reduce the number of returned transaction events?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases