Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cannot get any result using "transaction startsWith=xxx endsWith=xxx"

kufish001
New Member
‎01-24-2016 11:53 PM

Hi,
I'm a Splunk newbie and I'm trying to do some analysis for our logs using 'transaction'.

The logs I want to capture (I have simplified the logs, removing the unrelated events) would start with a line containing "Iteration:[0-9]+", end with a line containing "Finish prepare",
........................................................................
........................................................................
2016-01-24 14:34:46.892 [main] DEBUG - Iteration:0: start:xxxx: end:xxxx
........................................................................
........................................................................
2016-01-24 14:53:20.256 [main] DEBUG - Finish prepare & send alerts!
........................................................................
........................................................................
2016-01-24 14:54:46.437 [main] DEBUG - Iteration:1: start:xxxx: end:xxxx
........................................................................
........................................................................
........................................................................
2016-01-24 15:13:20.132 [main] DEBUG - Finish prepare & send alerts!
........................................................................
........................................................................
........................................................................
2016-01-24 14:54:46.437 [main] DEBUG - Iteration:2: start:xxxx: end:xxxx
........................................................................
........................................................................
2016-01-24 15:13:20.132 [main] DEBUG - Finish prepare & send alerts!
........................................................................
........................................................................

I want to get the duration of each iteration, so I tried to use 'transaction' to get that, I used below command,

transaction startsWith=Iteration endsWith="Finish prepare",

but no results found, can anyone help me check where is wrong?

Thanks

I'm using Splunk 6.2.5

Tags (1)
0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-25-2016 09:21 AM

Hi kulfish001

You need to have at least one field in common for the events to join them together. The correct syntax would be something like this:

  transaction Iteration startsWith=Iteration endsWith="Finish prepare"

The search above assumes you have a field called Iteration extracted which contains an ID (1,2,3,4...) that will link the messages together.

See the full docs for the transaction command here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction

Let me know how you get along.

j

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...