Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cannot get any result using "transaction startsWith=xxx endsWith=xxx"

kufish001
New Member
‎01-24-2016 11:53 PM

Hi,
I'm a Splunk newbie and I'm trying to do some analysis for our logs using 'transaction'.

The logs I want to capture (I have simplified the logs, removing the unrelated events) would start with a line containing "Iteration:[0-9]+", end with a line containing "Finish prepare",
........................................................................
........................................................................
2016-01-24 14:34:46.892 [main] DEBUG - Iteration:0: start:xxxx: end:xxxx
........................................................................
........................................................................
2016-01-24 14:53:20.256 [main] DEBUG - Finish prepare & send alerts!
........................................................................
........................................................................
2016-01-24 14:54:46.437 [main] DEBUG - Iteration:1: start:xxxx: end:xxxx
........................................................................
........................................................................
........................................................................
2016-01-24 15:13:20.132 [main] DEBUG - Finish prepare & send alerts!
........................................................................
........................................................................
........................................................................
2016-01-24 14:54:46.437 [main] DEBUG - Iteration:2: start:xxxx: end:xxxx
........................................................................
........................................................................
2016-01-24 15:13:20.132 [main] DEBUG - Finish prepare & send alerts!
........................................................................
........................................................................

I want to get the duration of each iteration, so I tried to use 'transaction' to get that, I used below command,

transaction startsWith=Iteration endsWith="Finish prepare",

but no results found, can anyone help me check where is wrong?

Thanks

I'm using Splunk 6.2.5

Tags (1)
0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-25-2016 09:21 AM

Hi kulfish001

You need to have at least one field in common for the events to join them together. The correct syntax would be something like this:

  transaction Iteration startsWith=Iteration endsWith="Finish prepare"

The search above assumes you have a field called Iteration extracted which contains an ID (1,2,3,4...) that will link the messages together.

See the full docs for the transaction command here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction

Let me know how you get along.

j

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...