Splunk Search

Can transaction be used only with "endswith" without use of "startswith"?

Ahmedkhalil
Path Finder

Can transaction be used with endswith only without use of startswith?
I read that transaction is processing events from latest to oldest, so we can't use endswith only?
Is it possible to use startswith alone?

0 Karma

Ahmedkhalil
Path Finder

sorry mus if the question was not clear but i mean by working in the question that there is closed transaction
So may i know please if there is work around for this problem

0 Karma

Ahmedkhalil
Path Finder

I know that it will work but it will not lead to closed_txn =1
I would like to have one condition which is endowing that lead to closed_txn =1
Thanks in advance

0 Karma

MuS
SplunkTrust
SplunkTrust

Why do you ask if it will work, if you know it does? You should ask the question with your real requirement instead, which is the latest comment you did.

Ahmedkhalil
Path Finder

actually i mean when i use endswith only closed_txn =0 all the time and transaction is not closed despite that there is many events match this condition but when i add startswith i start to see closed_txn = 1 and when i check some forms i found the answer that i added in the question So what i need to know if there is any way to use only endswith and closed_txn =1 wihtout use of any other condition

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Ahmedkhalil,

The simple answer is, Yes. Take this simple run everywhere command:

index=_audit | transaction user endswith="action=login*"

This will work and will return events.
The same is with only the startswith option:

index=_audit | transaction user startswith="action=login*"

Hope this helps ...

cheers, MuS

woodcock
Esteemed Legend

Yes, that is fine; you can use either one, none, or both. Not only do these help define event boundaries but they also help define what is/not a closed_txn and impact the performance (speed) and accuracy of the search.

0 Karma

woodcock
Esteemed Legend

Based on your clarification, you can use endswith="your specific stuff" startswith="1=1" and that should do it by making sure that every transaction has a startswith so that only those without an endswith do not close.

0 Karma

Ahmedkhalil
Path Finder

unfortunately it didn't work

0 Karma

woodcock
Esteemed Legend

ARGH! When am I going to learn to test my answers? I made a mistake in the syntax, it should be endswith="your specific stuff" startswith=eval("1"="1").

0 Karma

Ahmedkhalil
Path Finder

thanks alot woodcock for your answer i think it's will work

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...