https://community.splunk.com/t5/Reporting/Transactions-With-Variable-start-end/m-p/455595#M9626 <P>I have a log with many instances of the following ... these can happen in parallel. I was attempting to use a transaction to mine these via startswith="Received Query" and endswith="Completed Query".</P> <P>&lt;2018.10.29 10:02:37 639 -0400&gt;<I> Received Query on NE:38.120.48.29,{"targetClass":"nsd-service:/services/eline-sites/site","operator":"=","field":"classId","value":"nsd-service:/services/eline-sites/site"}, For BOTH Attributes<BR /> &lt;2018.10.29 10:02:37 639 -0400&gt;<I> Received Query on NE:38.120.48.29,{"targetClass":"nsd-service:/services/eline-sites/site","operator":"=","field":"classId","value":"nsd-service:/services/eline-sites/site"}, For BOTH Attributes<BR /> &lt;2018.10.29 10:02:37 639 -0400&gt;<I> Received Query on NE:38.120.48.29,{"targetClass":"nsd-service:/services/eline-sites/site","operator":"=","field":"classId","value":"nsd-service:/services/eline-sites/site"}, For BOTH Attributes<BR /> &lt;2018.10.29 10:02:38 696 -0400&gt;<I> Completed Query: NE 38.120.48.29 Target Class nsd-service:/services/eline-sites/site<BR /> &lt;2018.10.29 10:02:38 696 -0400&gt;<I> Completed Query: NE 38.120.48.29 Target Class nsd-service:/services/eline-sites/site<BR /> &lt;2018.10.29 10:02:38 696 -0400&gt;<I> Completed Query: NE 38.120.48.29 Target Class nsd-service:/services/eline-sites/site</I></I></I></I></I></I></P> <P>The problem is that since these can happen in parallel, I can mismatch start and end events. The way you know which ones match are based on the thread number ... 24 or 25 or 26 in this case. Is there a way to extract that dynamic number and use it to form the transaction ...</P> <P>transaction startswith="Received Query" and endswith="Completed Query" ... and "contains" the dynamically generated number?</P> <P></P> Tue, 30 Oct 2018 17:14:49 GMT dmoulais 2018-10-30T17:14:49Z https://community.splunk.com/t5/Reporting/Transactions-With-Variable-start-end/m-p/455595#M9626 <P>I have a log with many instances of the following ... these can happen in parallel. I was attempting to use a transaction to mine these via startswith="Received Query" and endswith="Completed Query".</P> <P>&lt;2018.10.29 10:02:37 639 -0400&gt;<I> Received Query on NE:38.120.48.29,{"targetClass":"nsd-service:/services/eline-sites/site","operator":"=","field":"classId","value":"nsd-service:/services/eline-sites/site"}, For BOTH Attributes<BR /> &lt;2018.10.29 10:02:37 639 -0400&gt;<I> Received Query on NE:38.120.48.29,{"targetClass":"nsd-service:/services/eline-sites/site","operator":"=","field":"classId","value":"nsd-service:/services/eline-sites/site"}, For BOTH Attributes<BR /> &lt;2018.10.29 10:02:37 639 -0400&gt;<I> Received Query on NE:38.120.48.29,{"targetClass":"nsd-service:/services/eline-sites/site","operator":"=","field":"classId","value":"nsd-service:/services/eline-sites/site"}, For BOTH Attributes<BR /> &lt;2018.10.29 10:02:38 696 -0400&gt;<I> Completed Query: NE 38.120.48.29 Target Class nsd-service:/services/eline-sites/site<BR /> &lt;2018.10.29 10:02:38 696 -0400&gt;<I> Completed Query: NE 38.120.48.29 Target Class nsd-service:/services/eline-sites/site<BR /> &lt;2018.10.29 10:02:38 696 -0400&gt;<I> Completed Query: NE 38.120.48.29 Target Class nsd-service:/services/eline-sites/site</I></I></I></I></I></I></P> <P>The problem is that since these can happen in parallel, I can mismatch start and end events. The way you know which ones match are based on the thread number ... 24 or 25 or 26 in this case. Is there a way to extract that dynamic number and use it to form the transaction ...</P> <P>transaction startswith="Received Query" and endswith="Completed Query" ... and "contains" the dynamically generated number?</P> <P></P> Tue, 30 Oct 2018 17:14:49 GMT https://community.splunk.com/t5/Reporting/Transactions-With-Variable-start-end/m-p/455595#M9626 dmoulais 2018-10-30T17:14:49Z https://community.splunk.com/t5/Reporting/Transactions-With-Variable-start-end/m-p/455596#M9627 <P>is the thread number in your event? or can you pull it out with a regex? If you can you could do something like this. </P> <PRE><CODE>| transaction ThreadNum startswith="Received Query" endswith="CompletedQuery" maxevents=2 </CODE></PRE> Tue, 30 Oct 2018 18:29:03 GMT https://community.splunk.com/t5/Reporting/Transactions-With-Variable-start-end/m-p/455596#M9627 kmaron 2018-10-30T18:29:03Z https://community.splunk.com/t5/Reporting/Transactions-With-Variable-start-end/m-p/455597#M9628 <P>Yes this works thanks - I frequently forget you can use a field name as a transaction grouping <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>index=xxhost=vm4 source="/opt/nsp/mediation/log/xx.log" "xx-grpc-exec" AND ( "Received Query" OR "Completed Query" ) | rex "-exec[(?\d+)]" | transaction threadId startswith="Received Query" endswith="Completed Query" | chart values(duration) as "Query Time" by _time</P> Tue, 30 Oct 2018 18:42:01 GMT https://community.splunk.com/t5/Reporting/Transactions-With-Variable-start-end/m-p/455597#M9628 dmoulais 2018-10-30T18:42:01Z https://community.splunk.com/t5/Reporting/Transactions-With-Variable-start-end/m-p/455598#M9629 <P>perfect! I'll convert it to an answer so you can accept it. </P> Tue, 30 Oct 2018 18:43:18 GMT https://community.splunk.com/t5/Reporting/Transactions-With-Variable-start-end/m-p/455598#M9629 kmaron 2018-10-30T18:43:18Z