I am using the following search to report on successful transactions in our password checkin/checkout system :
(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset"
However, I would like to build a report that shows all incomplete transactions. How can I achieve this?
The transaction command creates an internal field named "closed_txn"
to indicate if a given transaction is complete or not.
From the Search Reference Manual entry for the Transaction command :
keepevicted=<bool>
Description:
Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startswith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.
Transactions that fulfill both the "startswith" and "endswith" condition are marked as successful by having the field "closed_txn"
set to 1, where transactions that fail to fulfill one or both of these conditions are marked as unsuccessful by having the field "closed_txn"
set to 0.
In our case, to report on incomplete transactions we need to :
Our new search should append "| search closed_txn=0" to the base search in order to only report on the unsuccessful transactions
(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | search closed_txn=0
FYI, if you also want to calculate duration of unclosed transactions, this is possible with an eval.
mysearch | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | eval duration=if(isnull(duration),now()-_time,duration) | table _time duration _raw
Beware, the function now() may not be compatible with real time.
using a stats command may be less expensive than a transaction :
mysearch ""checkout" OR "reset" "| stats first(_raw) AS recent_event first(_time) AS _time by Hostname, LBG_User | where revent_event="*checkout*" | eval duration=if(isnull(duration),now()-_time,duration) | table _time duration Hostname LBG_User recent_event
Minor correction, duration=0 for events that haven't completed so "eval duration=if(duration==0,now()-_time,duration)" or:
mysearch | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | eval duration=if(duration==0,now()-_time,duration) | table _time duration _raw
The transaction command creates an internal field named "closed_txn"
to indicate if a given transaction is complete or not.
From the Search Reference Manual entry for the Transaction command :
keepevicted=<bool>
Description:
Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startswith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.
Transactions that fulfill both the "startswith" and "endswith" condition are marked as successful by having the field "closed_txn"
set to 1, where transactions that fail to fulfill one or both of these conditions are marked as unsuccessful by having the field "closed_txn"
set to 0.
In our case, to report on incomplete transactions we need to :
Our new search should append "| search closed_txn=0" to the base search in order to only report on the unsuccessful transactions
(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | search closed_txn=0
Hi @hexx
Thanks for your solution. I have the same requirement but this solution didn't work for me.
When I add keepevicted=true it shows me 2 events per transaction; transaction started event (with closed_txn=0) and transaction ended event (with closed_txn=1) and when I add | search closed_txn=0
it shows me transaction started event for all transactions - including those that completed successfully. But I want only transactions that do not have a completed event
... | transaction build_number,type startswith="started" endswith="completed" keepevicted=true | search closed_txn = 0
However, this works but I am not sure if its the best approach?
... | stats count by build_number | search count = 1