Solved: Search for non transaction events

huaraz · ‎09-13-2011

Hi,

I would like to find out that my transactions are correctly put together so that I don't get invalid transactions if for example a start or stop event get lost.

If I would usually have:

start event;
10 events;
stop event

which would be 1 transaction, but then because of a crash or some other data loss I get

start event;
10 events;
start event;
10 events;
stop event

or

start event;
10 events;
stop event;
10 events;
stop event

How many transactions would I get ? What would I get with:

start event;
10 events;
stop event;
5 events;
start event;
10 events;
stop event

Can I search for everything which is not part of a transaction to identify the 5 events ?

Thank you

Markus

bbingham · ‎09-13-2011

transactions have a field labeled "closed_txn", in your example do the following:

|transaction startswith="start event" endswith="end event" keepevicted=t 
| search closed_txn=0

Any transaction that is currently "unfinished" or any event that isn't part of the transaction but still in the stream will be listed.

View solution in original post

bbingham · ‎09-13-2011

transactions have a field labeled "closed_txn", in your example do the following:

|transaction startswith="start event" endswith="end event" keepevicted=t 
| search closed_txn=0

Any transaction that is currently "unfinished" or any event that isn't part of the transaction but still in the stream will be listed.

Search for non transaction events

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!