- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is my transaction search with earliest=-2d not...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is my transaction search with earliest=-2d not returning all grouped events?
When I run the below command, it returns some of the grouped events, but not all of them. It will not return the most recent events.
If I change to earliest=-1d, it returns events (more recent) than that of earliest=-2d. I thought all events up to the current time should be returned with -2d or -1d. In other words, -2d should return 2 days worth, -1d should return 1 day worth, but all events returned from -1d should be returned with -2d, right?
index="personalizedoffer" earliest=-2d (XML_INPUT_LOGGER AND offerInquiryRequest) OR "EnVisionResponse version" | xmlkv | fields _time clientId | transaction clientId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @riotto,
To return all the events that are not part of the grouped transactions, use the attribute
keeporphans=true
More examples: http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Transaction
Syntax: .....|transactions startswith=Start endswith=Ends keeporphaned=true ....will return loose events. Also, look at the option keepevicted=true from the same docs link.
As far as the -2d and -1d questions is concerned, are you missing any large subset of events?
Hope this helps!
Thanks,,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is missing the most recent events that are part of the grouped transaction. My question about -1d and -2d is that -2d should be inclusive of -1d, but appears not to be. The search is grouping events (there are only two events in a group. I want only the groups that have a duration of > 5. There are groups that meet the criteria for today and are returned with -1d, but not with -2d...make sense?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is it possible that it's returning lots of data? There is a limit on open transactions that can be returned. Please take a look at this answer
https://answers.splunk.com/answers/186106/is-there-a-limit-on-the-number-of-events-returned.html
Thanks,
Raghav
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
