Hi,
I wanted to find transactions in logs using "startswith" and "endswith" but my log record does not have a common field to
use in transaction command .. as mentioned in
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Transaction
| transaction "some common field" startswith="begin transaction" endswith="done" maxpause=2s maxspan=180s
My problem is, in the above command, my record does not have a common value / field in the record that marks the beginning and ending of transaction.
Hence, I wanted to try a different approach... where I search for records with "begin transaction" and then, in those results, would like to get / see results of next following 10-20 records within 180sec span, which have "done" as marker for END of transaction.
Is this doable with Splunk?
Any other suggestions - to get the transactions marked with begin and end as a single unit of record.?
Thanks.
Hi splukears,
if you're using transaction
in Splunk you are basically using Splunk as big grep environment, because it breaks way to many things within the Splunk search like mapreduce
and you will end up getting all _raw
data back from the indexers to the search heads.
I would suggest to have a look at the March 2016 session of the virtual .conf https://wiki.splunk.com/Virtual_.conf and have a closer look at the examples on how to use stats
with a start or end event. This will give you a way better performance and you will not hit any hidden limit of Splunk.
cheers, MuS
Hi splukears,
if you're using transaction
in Splunk you are basically using Splunk as big grep environment, because it breaks way to many things within the Splunk search like mapreduce
and you will end up getting all _raw
data back from the indexers to the search heads.
I would suggest to have a look at the March 2016 session of the virtual .conf https://wiki.splunk.com/Virtual_.conf and have a closer look at the examples on how to use stats
with a start or end event. This will give you a way better performance and you will not hit any hidden limit of Splunk.
cheers, MuS
Take a look at the BIN command. Thats what I use when I need to see the events preceding.
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Bin
The transaction
command does not require a common field when using the startswith
and endswith
options.
Thank you for the quick response. I'm getting zero results, when I do not provide keyword (common field) next to transaction, that's available in both begin record and end record. Can you please suggest, how to get next (all) records within say 30sec span, that starts with (for example) "begin" record. Is this doable?
I after finding records (transactions) that got initiated but did not complete in say 30sec.
Thanks a lot.!