Splunk Search

Why is the transaction command with maxspan not giving accurate results?

Laya123
Communicator

Hi,

I have some transactions which have taken 3 hours to complete. When I use maxspan=90m, my transaction is breaking in to 2 different transactions (1 transaction is showing 2 different transactions) and giving results 1500. I changed maxspan=3h, but it is not giving all results, only 200; Transaction is not breaking, but I'm missing transactions where the the transaction time is less than 90m

Can any one help me to do this?

Thanks & Regards

Tags (2)
1 Solution

Laya123
Communicator

Hi,

I got the answer for this issue. I have used startwith and endswith with maxspan=3h. if you dont have startwith and endswith if you increase the maxspan will get less results.

Thanks

View solution in original post

0 Karma

Laya123
Communicator

Hi,

I got the answer for this issue. I have used startwith and endswith with maxspan=3h. if you dont have startwith and endswith if you increase the maxspan will get less results.

Thanks

0 Karma

woodcock
Esteemed Legend

The website trashed some of your search text (the name of the extracted field) but I assume that it was supposed to extract Status. If so, then perhaps this will get you started enough to finish on your own:

index=ibm sourcetype="AService" host=ABC
| rex "Logger - [(?<Status>.*)] - "
| eventstats values(AutoActivateId) AS AutoActivateIds by host
| stats earliest(_time) AS firstTime latest(_time) AS latestTime list(_raw) AS events values(*) AS * by host
0 Karma

Laya123
Communicator

Thanks for your response. I am extracting AutoActivateId not Status, anyway I will try this and get back to you.

Thank you

0 Karma

woodcock
Esteemed Legend

The transaction command's documentation is somewhat vague about it but when it consumes the maximum amount of memory possible, it will drop all further work and present what it has at that moment WITHOUT ANY INDICATION THAT IT IS INCOMPLETE. This is the reason that I try to avoid using it it all costs.

0 Karma

Laya123
Communicator

Thank you for your response; is there any other command to get all transactions. Please help me how to do this without transaction command

Thanks in advance

0 Karma

lguinn2
Legend

The performance and results of the transaction command can vary widely depending on the number of events. How many events are being piped into the transaction command?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you provide some sample data and current search that you're using?

0 Karma

Laya123
Communicator

hi,

Thank you for your quick response.

in my data most of the transactions are completed with in 15 minutes of time only few of them are taken more than 3 hours time. If I will take the maxspan=90m I am getting all the transactions in a given period (I got 2000 rows) but where the transaction time is more than 3 hours that transaction splited in to two transactions with same AutoActivateId (this AutoActivateId is unique for each transaction). Then I changed to maxspan=3h its not giving all results giving only lessthan 50% of the above results (its giving only 800 when I changed to maxspan=3h).

example if a transaction of AutoActivateId = 123 started at 8:00AM on 10th October 2015 and ended at 11:00AM on 10th October 2015 I am getting the results like

_time AutoActivateId host Status
10-10-2015 8:00 123 ABC Not Completed
10-10-2015 9:31 123 ABC Completed

I know Why this transaction splited in to two transactions I have gien maxspan=90m after 90 minutes splunk is considering as a new transaction and giving as new transaction and the status of the transaction also showing different values. when I changed maxspan to 3 hours this transaction showing as one transaction but missing some other transaction.

Hope I explained my problem properly

below is the query which I used:

index=ibm sourcetype="AService" host=ABC
|rex field=_raw "Logger - [(?.*)] - "
|transaction AutoActivateId host maxevents=-1 maxspan=90m
|table _time, AutoActivateId, host, Status

Thanks & Regards

0 Karma

Laya123
Communicator

Any help for my query

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...