Can transaction be used with endswith only without use of startswith?
I read that transaction is processing events from latest to oldest, so we can't use endswith only?
Is it possible to use startswith alone?
sorry mus if the question was not clear but i mean by working in the question that there is closed transaction
So may i know please if there is work around for this problem
I know that it will work but it will not lead to closed_txn =1
I would like to have one condition which is endowing that lead to closed_txn =1
Thanks in advance
Why do you ask if it will work, if you know it does? You should ask the question with your real requirement instead, which is the latest comment you did.
actually i mean when i use endswith only closed_txn =0 all the time and transaction is not closed despite that there is many events match this condition but when i add startswith i start to see closed_txn = 1 and when i check some forms i found the answer that i added in the question So what i need to know if there is any way to use only endswith and closed_txn =1 wihtout use of any other condition
Hi Ahmedkhalil,
The simple answer is, Yes. Take this simple run everywhere command:
index=_audit | transaction user endswith="action=login*"
This will work and will return events.
The same is with only the startswith
option:
index=_audit | transaction user startswith="action=login*"
Hope this helps ...
cheers, MuS
Yes, that is fine; you can use either one, none, or both. Not only do these help define event boundaries but they also help define what is/not a closed_txn
and impact the performance (speed) and accuracy of the search.
Based on your clarification, you can use endswith="your specific stuff" startswith="1=1"
and that should do it by making sure that every transaction has a startswith
so that only those without an endswith
do not close.
unfortunately it didn't work
ARGH! When am I going to learn to test my answers? I made a mistake in the syntax, it should be endswith="your specific stuff" startswith=eval("1"="1")
.
thanks alot woodcock for your answer i think it's will work