Hi everyone!
I'm trying to use a transaction to group logs that match the following business-logic:
all triggered actions are queued and processed following the FIFO policy
sometimes, many actions can be triggered before the first one is even completed
my logs does not include a common transaction_id that could be use to match the triggering and ACK events
thereby, I must assume that my first ACK is for the first triggered action, and so on.
My transaction command would looks like:
| transaction unit, option startswith="trigger" endswith="ack"
But it seems that Splunk is associating the first ACK event that match my transaction conditions with the last transaction it has opened. I would expect it to work the opposite way, or at least, I wish I could ask it to do so.
Here is a short data sample:
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
The command mentioned above is returning something like:
2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
When I would expect:
2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
Hope I was clear enough and thank you for your help 🙂
... View more