i am still confused after reading the reference
for example i fabricated some data
and search with "|transaction host tag"
Splunk gave me 2 sets of events:
1 » 13-8-20 上午12:01:00.000
20130820 00:01:00 host=Sb tag=2 this is event5
20130820 00:02:00 tag=2 this is event6
20130821 00:02:00 host=Sa tag=2 this is event7
**20130821 00:03:00 host=Sa this is event8*
2 » 13-8-19 上午12:00:00.000
20130819 00:00:00 host=Sa this is event1
20130819 00:01:00 host=Sa tag=1 this is event2
20130819 00:02:00 tag=1 this is event3
20130820 00:03:00 host=Sb tag=1 this is event4
you can see that event1 and event8 are similar with a same field/value "host=Sa", but were put into different set
what arguments can i use to force results contain both fields an exactly the same values?
Hi crazyeva
if your host field really is host=Sa this is eventX
then you could use
endswith=<filter-string>
Description: A search or eval filtering expression which if satisfied by an event marks the end of a transaction.
and or
startswith=<filter-string>
Description: A search or eval filtering expression which if satisfied by an event marks the beginning of a new transaction.
with your transaction like this:
yourSearch | transaction startswith="Sa this is event8" ....
hope this helps, cheers - MuS
Thank you.
I begin understand this.
"eventX" is just a tag for myself to recognize each event. since I fabricated these data.
no, if there is a transitive relationship between the fields in the fields list, the transaction command will use it. Best for you would be to create field extraction for 'eventX' and use this in transaction.
I have read that reference, the example given is:
event=1 host=a
event=2 host=a cookie=b
event=3 cookie=b
this is how i imagine it works:
event1 join event2 on host=a, event2 join event3 on cookie=b
this 3 are the same with my data.
then go on in my data:
event 3 join event4 on tag=1, but event4 doesnot join event5 although on host=Sb?
Does it mean: when transaction two fields, if an event misses one field, say "host", splunk will consider it has a field host="Sa or Sb or anything" that will match next event's host, nomatter what value it is?
well according to your example it looks like the host field is either 'Sa' or 'Sb' and tag is either '1' or '2' and this is why the transaction command is grouping them this way. read more here: http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Transaction
Thank you very much, "startswith" or "endswith" may settle my problem with right looking results
But I just want to understand what "transaction" do when deciding put which events together.
When I transaction two fields, why does it group two events which have one field different value(the other is same). And put two events with only field, same value separately into two sets.