Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

transaction - solution for scheduling

the_wolverine
Champion
‎03-25-2013 01:45 PM

Is there a solution where a transactional query, run as a cron, can be forced to find all related events?

As I see it, if the matching events fall outside of the scheduled time period, those events won't be included in the transaction.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-25-2013 01:54 PM

Indeed, if your search is timerange-restricted nothing outside that timerange will get through.

You could however do something like this:

some filters, wide timerange [some other filters, narrow timerange | return 99999 id] | transaction id

That way you would determine the relevant IDs based on some narrow timerange, but widen the search for those IDs only to "fill up" your transactions. I'm just not sure how well you can specify these two ranges in the saved search, might require some fiddling...

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...