Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get incomplete transactions

Laya123
Communicator
‎04-23-2015 09:47 PM

Hi,

I need small help from you, I am calculating duration of each transaction of on userid.

My query:

index=A sourcetype=B host=ABC | rex field=_raw "-R(?.*)-I" | rex field=_raw "status\s" |transaction DID maxevents=10000 startswith="Beginning session" endswith="Ending session" | convert ctime(_time) as time |eval endtime= _time+duration |convert ctime(endtime) as Endtime| eval hour=strftime(_time, "%H")|eval status=if(result="0","Success", "Error") | table DID time Endtime duration Project host result status hour

the above query is giving correct results only, but there is some transactions which is not having 'Ending session', for some transaction there is no 'Beginning and ending session'. I know that where the beginning and end session are not there were incomplete transactions and their status is error. but I am not getting those DIDs in my output, I am getting only where Beginning and ending session DIDs.

Pl help me to do this

here is some sample logs which not having beginning and ending sessions

Logs:
1. No Ending session but having 3-4 log lines
117,20150418 05:09:42.860,155,32,MIV,1615241 - 0xc64,-P -R6801ddbc-1528-472f-805a-d9645c4ffa0c -I351 Beginning session
208,20150418 05:10:18.111,155,32,MIV,1615241 - 0xc64,-PC2BBD -R6801ddbc-1528-472f-805a-d9645c4ffa0c -I351 Processed package bc7f579a-6a59-495f-b23e-059ea49e963c from client 6801ddbc-1528-472f-805a-d9645c4ffa0c
208,20150418 05:12:21.193,155,32,MIV,1615241 - 0xc64,-PCX2J6 -R6801ddbc-1528-472f-805a-d9645c4ffa0c -I351 Processed package deca35af-62f4-4db4-8fa5-ff01784f085d from client 6801ddbc-1528-472f-805a-d9645c4ffa0c

  1. No ending session with one log line
    118,20150418 09:52:10.058,155,32,MIV,1634745 - 0x1aac,-P -Rbde65047-6274-4fbf-98bd-b8593b014dd9 -I152 Beginning session

  2. For some dids there is no beginning session and endining session as per logs its starting with ‘session does not exist’

277,20150414 14:15:56.227,155,4,MIV,1333626 - 0x13a4,-P -R -I Session does not exist for 2dd0b5a3-bcbe-428f-b8b0-23aefc96e0a4
268,20150414 14:08:53.198,155,4,MIV,1333626 - 0x13a4,-P -R -I Session does not exist for 9edb5b57-85f1-47c6-a3e3-62ebf5767990

Thanks in advance

Tags (2)
0 Karma
Reply

fdi01
Motivator
‎04-24-2015 07:48 AM

for :
No Ending session but having 3-4 log lines try like this:

   ...|transaction DID maxevents=10000 startswith="Beginning session"  |...

For some dids there is no beginning session and endining session as per logs its starting with ‘session does not exist’
try like this:

 ...|transaction  "Session does not exist" maxevents=10000|...

or

you can use this transaction option keeporphans=true
because it Specify whether the transaction command should output the results that are not part of any transactions. The results that are passed through as "orphans" are distinguished from transaction events with a _txn_orphan field, which has a value of 1 for orphan results. Defaults to false.

0 Karma
Reply

Laya123
Communicator
‎04-24-2015 07:59 AM

Hi,

Thank you for your response,

It means you want me to use two transactions in one search

Regards

0 Karma
Reply

fdi01
Motivator
‎04-25-2015 01:49 AM

yes you can.

0 Karma
Reply

Laya123
Communicator
‎04-27-2015 06:26 AM

as per your suggestion i have taken two transactions but its giving error.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-23-2015 09:54 PM

I think you would like to keep include events that dont match the transaction command. You can add the 'keepevicted=true' flag to your transaction command in search. Then all of your events will have a 'closed_txn' field which is boolean 0 or 1 depending if the transaction is complete or not. From there you can look at non-closed transaction events and decide what to do..

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-23-2015 10:19 PM

Refer to the docs for syntax : http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction

... | transaction keepevicted=true ....

After that, you will have a new field called closed_txn. Filter your results based on the values of that field and see how your results look.

0 Karma
Reply

Laya123
Communicator
‎04-23-2015 10:25 PM

Thank you so much, I will try this and let you know

0 Karma
Reply

Laya123
Communicator
‎04-24-2015 06:43 AM

Hi,

I tried keepevicted =true but no luck. Pl suggest me is there any other way to do this

Thanks & Regards

0 Karma
Reply

Laya123
Communicator
‎04-23-2015 10:13 PM

Hi,

Thanks for your immediate response,

I tried keepevicted and close_txn but i didnt get the results what i expected. May be I am using these 2 commands in wrong place, If you dont mind can you please tell me where I can use these 2 commands with a small example

thank you so much

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...