Solved: Search for non transaction events

huaraz · ‎09-13-2011

Hi,

I would like to find out that my transactions are correctly put together so that I don't get invalid transactions if for example a start or stop event get lost.

If I would usually have:

start event;
10 events;
stop event

which would be 1 transaction, but then because of a crash or some other data loss I get

start event;
10 events;
start event;
10 events;
stop event

or

start event;
10 events;
stop event;
10 events;
stop event

How many transactions would I get ? What would I get with:

start event;
10 events;
stop event;
5 events;
start event;
10 events;
stop event

Can I search for everything which is not part of a transaction to identify the 5 events ?

Thank you

Markus

bbingham · ‎09-13-2011

transactions have a field labeled "closed_txn", in your example do the following:

|transaction startswith="start event" endswith="end event" keepevicted=t 
| search closed_txn=0

Any transaction that is currently "unfinished" or any event that isn't part of the transaction but still in the stream will be listed.

View solution in original post

bbingham · ‎09-13-2011

transactions have a field labeled "closed_txn", in your example do the following:

|transaction startswith="start event" endswith="end event" keepevicted=t 
| search closed_txn=0

Any transaction that is currently "unfinished" or any event that isn't part of the transaction but still in the stream will be listed.

Search for non transaction events

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio