Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to get the open transactions whose events match the startsWith clause only

Krishna_R
Path Finder
‎06-10-2010 09:45 PM

I'm unable to list the transactions that have events matching with startWith clause but no events for endsWith clause (I'm using the keepevicted=t option aswell). I have a simplified file with only one event to test this:

2010-05-21 09:25:00 : (2314) : Calling function fetchTask

The query:

| rex field=message "Calling function (?<repFunction>.[a-zA-Z]+)" | rex field=message "Completed calling function (?<repFunction>.[a-zA-Z]+)"  | transaction thread_name repFunction startsWith=(message="Calling function*") endsWith=(message="Completed calling function*") keepevicted=t

Results:0

If I add the endsWith event as below, then I get the closed transaction result as expected.

2010-05-21 09:25:03 : (2314) : Completed calling function fetchTask

I'm not sure if I've missed anything here. Any pointers to list the open transaction would be appreciated.

Thanks, Krishna R

props.conf:

EXTRACT-serviceLog2 = \s:\s\((?P<thread_name>[^ ]*)\)\s:\s(?P<message>[^\r\n]*)
Tags (1)
Reply

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎06-11-2010 10:01 PM

This is an outstanding issue (SPL-31786) scheduled to be fixed in our next maintenance release (4.1.4)

In the meantime the following search will identify incomplete transactions: 

... | rex field=message " function (?<repFunction>.[a-zA-Z]+)" | transaction thread_name repFunction startswith=(message="Calling function*") keepevicted=t | search NOT message="Completed calling function*"
Reply

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎07-01-2010 05:58 PM

I'm not sure I understand what you're trying to do, can you please elaborate a bit more ?

0 Karma
Reply

dskillman
Splunk Employee
Splunk Employee
‎06-18-2010 06:06 PM

This search "kind of" works. How would you report on a given period of time's open transactions? Using timechart with a span=1 and looking for eventcount=1 doens't seem to match.

0 Karma
Reply

Krishna_R
Path Finder
‎06-13-2010 03:27 PM

Thanks for this info! I will try other ways like you have adviced.

0 Karma
Reply

Krishna_R
Path Finder
‎06-11-2010 06:15 PM

btw, those open transactions that match the endswith clause only (no events to match with startswith cluase) are shown in results as expected - in my original query.

0 Karma
Reply

Krishna_R
Path Finder
‎06-11-2010 05:28 PM

Yes. I tried lowercase but there is no difference 🙂

0 Karma
Reply

Lowell
Super Champion
‎06-11-2010 02:28 PM

Have you tried letting off the endswith message then building your own complete/not-complete field with an eval.

Try something like this:

| rex field=message " function (?<repFunction>.[a-zA-Z]+)" | transaction thread_name repFunction startswith=(message="Calling function*") keepevicted=t | eval my_close_txn=searchmatch("Completed",1,0)
0 Karma
Reply

Krishna_R
Path Finder
‎06-11-2010 05:27 PM

Hi Lowell,

  1. dropping endswith didn't help (I tried the exact one you pasted) resulted 0 transactions.

  2. i added keepevicted=t, it returned 1 transaction but closed_txn was 1. (I expected it to be 0 - to mark the transaction as open)

0 Karma
Reply

Lowell
Super Champion
‎06-11-2010 02:17 PM

Have you tried using startswith and endswith (all lowercase)? I'm not sure if that matters, but it's worth a try.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...