Splunk Search

Transactions and the endswidth option - how to include through a final matching endswith?

evan_scheessele
Explorer

I have a working transaction query for which I need to use an 'endswith' to identify the last event of the transaction. The problem is, that sometimes there are two similar events which together identify the end of the transaction, and I really want to capture both of them (when they occur as a pair) in the transaction results. Today, endswith="*some_string*" works perfectly to match the first instance, and to close out the transaction. How might I modify the transactions options to identify the outer/last matching 'endswith' still within my transaction's maxspan?

Tags (2)

wpreston
Motivator

Are you using a field list to unify the events in the transaction? If so, an endswith may not be necessary at all. I believe that the transaction command will not close a transaction until it reaches one of the following parameters: maxevents, maxpause, maxspan, or startswith (since it searches in reverse time order). So the search would be something like:

...your search | transaction Your_Unifying_Field startswith="your string" keepevicted=f 
0 Karma

evan_scheessele
Explorer

Yes, the matching endswith event(s) (or rather the pair of them) are nearly identical, but yes with different timestamps. They aren't completely identical, differing in some fields' values which are not part of the transaction-matching. For all intents and purposes I'd consider them identical but for their timestamp. In any case, I'd like the transaction to match on the 2nd/last event, allowing the 1st of the pair to be included in the transaction, as well as that closing 2nd event.

0 Karma

eashwar
Communicator

the transactions last event and the outer/last event is exactly the same with different timestamps?

please comment the two events i will give you the solution.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...