- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why does an eventstats before a transaction with n...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does an eventstats before a transaction with no maxspan display results immediately?
I have noticed some weird behavior that I don't understand when using the transaction command. If I don't specify a maxspan for the transaction command the results aren't displayed until Splunk is finished gathering data within the timeframe specified for the search. If I add an "eventstats count by anyfieldavailable" (or any stats-func other than count) before the transaction it displays results immediately and updates the events in each transaction as it's walking through the data.
I noticed this on a query I built to help ease reading our mail logs.
If I search for this:
index="main" sourcetype="postfix_syslog" | eval from=replace(from,"(<|>)","") | eval to=replace(to,"(<|>)","") | rex "\]:\s(?
\w+):" | rex "status=\w+\s\((?<status_message>.*)\)" | where sessionId != "NOQUEUE" | eval status=if(match(_raw, "discard"),"discard",status) | eval timestamp=strftime(_time, "%Y-%m-%d %H:%M") | eventstats count by sessionId | transaction sessionId | where isnotnull(to) | table timestamp from to status sessionId client host
It displays the table and immediately starts populating it.
If I search for this:
index="main" sourcetype="postfix_syslog" | eval from=replace(from,"(<|>)","") | eval to=replace(to,"(<|>)","") | rex "\]:\s(?
\w+):" | rex "status=\w+\s\((?<status_message>.*)\)" | where sessionId != "NOQUEUE" | eval status=if(match(_raw, "discard"),"discard",status) | eval timestamp=strftime(_time, "%Y-%m-%d %H:%M") | transaction sessionId | where isnotnull(to) | table timestamp from to status sessionId client host
It doesn't display anything until it has finished searching through the desired timeframe.
My theory is that it has something to do with the "...and save them as values in new fields." part of the eventstats description from the manual. I've poked around the manual and Splunk Base trying to figure out what's going on but am having no luck finding any information.
I'm hoping someone will be able to answer two questions:
- Why is this happening?
- Is there another (optimal) way to mimic the behavior caused by having the eventstats before the transaction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe it returns results immediately because the eventstats command will group incoming events (those being read in), so the transaction command doesn't have to wait for additional events, it simply has a single event per sessionId that keeps getting updated. Without eventstats, the transaction command has to wait for incoming events before it can group them into a transaction.
Would it be acceptable to provide a maxspan or maxpause to the transaction command? That would enable it to return results because it could finalize transactions before reading in all of the incoming events.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
