Hi all,
I have a transaction which have keyword "start" and "stop", I use startswith and endswith to define the whole transaction, but the problem is the system will detect if it can't finish, it will reload the transaction again, so the log will like:
start action... start action... ...... end
Do someone know how can I get the correct duration between to ? Thanks
Kat, try to just use only either startswith or endswith. e.g. if you see multiple "start" keyword, then one "stop" keyword, you should use * | transaction your_field endswith "stop"
Remember, in an unsorted Splunk time stream everything is 'backwards' so you might be looking startswith="stop" and endswith="start", as Stop would be the first event it came to.
Just a thought, does adding maxspan and maxpause help?