Good Day,
New to splunk, using version 4.2.3
Imported some zipped log files into splunk. I can search them just fine, but the transaction command doesn't work as expected. Using the transaction command to find the duration of connections.
The search being run is -
index=myIndex | search * | transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up"
The results however are not accurate, I have results where the myId pulled for startswith is different from the myId field pulled for endswith.
However, if I import the data into splunk's default index the above search works as expected.
How can I fix this without re-importing all the logs into the default index?
I agree with @bbingham; why are you using | search *
? Try without it like this:
index=myIndex | transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up"
Also try this:
index=myIndex | stats list(_raw) by myId
Can you post an example of the data set?
also you don't need the |search *, index=myIndex| transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up" should produce the same result with less overhead.