Solved: How can I report on incomplete transactions?

hexx · ‎06-08-2011

I am using the following search to report on successful transactions in our password checkin/checkout system :

(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset"

However, I would like to build a report that shows all incomplete transactions. How can I achieve this?

hexx · ‎06-08-2011

The transaction command creates an internal field named "closed_txn" to indicate if a given transaction is complete or not.

From the Search Reference Manual entry for the Transaction command :

keepevicted=<bool>

Description:

Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startswith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.

Transactions that fulfill both the "startswith" and "endswith" condition are marked as successful by having the field "closed_txn" set to 1, where transactions that fail to fulfill one or both of these conditions are marked as unsuccessful by having the field "closed_txn" set to 0.

In our case, to report on incomplete transactions we need to :

Keep all transactions, both closed (those that match all the transaction restrictions) and open (those that fail to match all the transaction restrictions), by specifying "keepevicted=true".
Use the "closed_txn" Boolean field generated by the transaction command to differentiate the invalid transactions.

Our new search should append "| search closed_txn=0" to the base search in order to only report on the unsuccessful transactions

(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | search closed_txn=0

View solution in original post

yannK · ‎04-12-2012

FYI, if you also want to calculate duration of unclosed transactions, this is possible with an eval.

mysearch | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | eval duration=if(isnull(duration),now()-_time,duration) | table _time duration _raw

Beware, the function now() may not be compatible with real time.

yannK · ‎12-21-2015

using a stats command may be less expensive than a transaction :

mysearch ""checkout"  OR "reset" "| stats first(_raw) AS recent_event first(_time) AS _time by  Hostname, LBG_User | where revent_event="*checkout*"  | eval duration=if(isnull(duration),now()-_time,duration) | table _time duration Hostname LBG_User  recent_event

mmacvicar_splun · ‎03-02-2017

Minor correction, duration=0 for events that haven't completed so "eval duration=if(duration==0,now()-_time,duration)" or:
mysearch | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | eval duration=if(duration==0,now()-_time,duration) | table _time duration _raw

hexx · ‎06-08-2011

The transaction command creates an internal field named "closed_txn" to indicate if a given transaction is complete or not.

From the Search Reference Manual entry for the Transaction command :

keepevicted=<bool>

Description:

Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startswith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.

Transactions that fulfill both the "startswith" and "endswith" condition are marked as successful by having the field "closed_txn" set to 1, where transactions that fail to fulfill one or both of these conditions are marked as unsuccessful by having the field "closed_txn" set to 0.

In our case, to report on incomplete transactions we need to :

Keep all transactions, both closed (those that match all the transaction restrictions) and open (those that fail to match all the transaction restrictions), by specifying "keepevicted=true".
Use the "closed_txn" Boolean field generated by the transaction command to differentiate the invalid transactions.

Our new search should append "| search closed_txn=0" to the base search in order to only report on the unsuccessful transactions

(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | search closed_txn=0

splunkering · ‎07-31-2018

Hi @hexx
Thanks for your solution. I have the same requirement but this solution didn't work for me.
When I add keepevicted=true it shows me 2 events per transaction; transaction started event (with closed_txn=0) and transaction ended event (with closed_txn=1) and when I add | search closed_txn=0 it shows me transaction started event for all transactions - including those that completed successfully. But I want only transactions that do not have a completed event

... | transaction build_number,type startswith="started" endswith="completed" keepevicted=true | search closed_txn = 0

splunkering · ‎07-31-2018

However, this works but I am not sure if its the best approach?
... | stats count by build_number | search count = 1

How can I report on incomplete transactions?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM