Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how does transaction command work?

crazyeva
Contributor
‎08-18-2013 08:02 PM

i am still confused after reading the reference
for example i fabricated some data
and search with "|transaction host tag"
Splunk gave me 2 sets of events:
1 » 13-8-20 上午12:01:00.000

20130820 00:01:00 host=Sb tag=2 this is event5
20130820 00:02:00 tag=2 this is event6
20130821 00:02:00 host=Sa tag=2 this is event7
**20130821 00:03:00 host=Sa this is event8*
2 » 13-8-19 上午12:00:00.000

20130819 00:00:00 host=Sa this is event1
20130819 00:01:00 host=Sa tag=1 this is event2
20130819 00:02:00 tag=1 this is event3
20130820 00:03:00 host=Sb tag=1 this is event4

you can see that event1 and event8 are similar with a same field/value "host=Sa", but were put into different set
what arguments can i use to force results contain both fields an exactly the same values?

Tags (1)
0 Karma
Reply

MuS
Legend
‎08-19-2013 01:55 AM

Hi crazyeva

if your host field really is host=Sa this is eventX then you could use

endswith=<filter-string>
Description: A search or eval filtering expression which if satisfied by an event marks the end of a transaction.

and or

startswith=<filter-string>
Description: A search or eval filtering expression which if satisfied by an event marks the beginning of a new transaction.

with your transaction like this:

yourSearch | transaction startswith="Sa this is event8" ....

hope this helps, cheers - MuS

0 Karma
Reply

crazyeva
Contributor
‎08-19-2013 06:55 PM

Thank you.
I begin understand this.
"eventX" is just a tag for myself to recognize each event. since I fabricated these data.

0 Karma
Reply

MuS
Legend
‎08-19-2013 03:43 AM

no, if there is a transitive relationship between the fields in the fields list, the transaction command will use it. Best for you would be to create field extraction for 'eventX' and use this in transaction.

Reply

crazyeva
Contributor
‎08-19-2013 03:02 AM

I have read that reference, the example given is:
event=1 host=a
event=2 host=a cookie=b
event=3 cookie=b
this is how i imagine it works:
event1 join event2 on host=a, event2 join event3 on cookie=b
this 3 are the same with my data.
then go on in my data:
event 3 join event4 on tag=1, but event4 doesnot join event5 although on host=Sb?
Does it mean: when transaction two fields, if an event misses one field, say "host", splunk will consider it has a field host="Sa or Sb or anything" that will match next event's host, nomatter what value it is?

0 Karma
Reply

MuS
Legend
‎08-19-2013 02:38 AM

well according to your example it looks like the host field is either 'Sa' or 'Sb' and tag is either '1' or '2' and this is why the transaction command is grouping them this way. read more here: http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Transaction

0 Karma
Reply

crazyeva
Contributor
‎08-19-2013 02:28 AM

Thank you very much, "startswith" or "endswith" may settle my problem with right looking results
But I just want to understand what "transaction" do when deciding put which events together.
When I transaction two fields, why does it group two events which have one field different value(the other is same). And put two events with only field, same value separately into two sets.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...