Splunk Search

how to show source after transactions (around the starting event of a transaction)

myli12
Path Finder

I did the following search to identify those "A" events that are not paired/ends with "B" events.

"A" OR "B" | transaction startswith="A" endswith="B" keepevicted=true | search closed_txn=0 "A"

When I clicked on "show source" and got the following error messages:

"Could not find target event on the remote server, unable to form the proper distributed search"

I noticed that I always get this same error message when "show source" after using the transaction function. I like to view/show the source around the starting event in a transaction, is there a workaround?

Tags (3)
0 Karma
1 Solution

myli12
Path Finder

I have a workaround solution. Assume A won't happen twice within 1s span. I use the transaction & subsearch as follows:

"A" [search "A" OR "B" | transaction startswith="A" endswith="B" keepevicted=true | search closed_txn=0 "A" | eval earliest=_time | eval latest=relative_time(_time, "+1s") | fields host, earliest, latest | format "(" "(" "" ")" "OR" ")"]

Basically I used subsearch to convert transaction results into search results, then I can show source.

Any more elegant solutions are welcome.

View solution in original post

myli12
Path Finder

I have a workaround solution. Assume A won't happen twice within 1s span. I use the transaction & subsearch as follows:

"A" [search "A" OR "B" | transaction startswith="A" endswith="B" keepevicted=true | search closed_txn=0 "A" | eval earliest=_time | eval latest=relative_time(_time, "+1s") | fields host, earliest, latest | format "(" "(" "" ")" "OR" ")"]

Basically I used subsearch to convert transaction results into search results, then I can show source.

Any more elegant solutions are welcome.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...