https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444954#M126202 <P>sample events<BR /> 2018-07-12 21:39:44,979 [WCS-11 ] ice.impl.DbHandlerService$DbWorkerThread INFO START (some process..)<BR /> 2018-07-12 21:39:44,980 [WCS-11 ] .wms.server.manager.nutzer.NutzerManager TRACE about something 1<BR /> 2018-07-12 21:39:44,981 [WCS-11 ] server.manager.system.SystemRolleManager TRACE about something 2<BR /> 2018-07-12 21:39:44,981 [WCS-11 ] g.wms.server.manager.nutzer.RechtManager TRACE about something 3<BR /> 2018-07-12 21:39:44,983 [WCS-11 ] g.wms.server.manager.nutzer.RechtManager TRACE about something etc<BR /> 2018-07-12 21:40:45,973 [WCS-11 ] ice.impl.DbHandlerService$DbWorkerThread INFO END (end process..)</P> <P>I want found transaction by process (for example, WCS-11), where one or more messages contains some word(s) (for example, 'about something' or 'platzToRepack' )</P> Mon, 16 Jul 2018 13:41:14 GMT keekkenen 2018-07-16T13:41:14Z https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444950#M126198 <P>Hi, all</P> <P>for example, I want find all transactions contains some word. How to make it more faster ? <BR /> If I have too much transaction my search work too long.</P> <P>For example, my search look like<BR /> source="<EM>wms</EM>" <BR /> | transaction process startswith="START" endswith="END"<BR /> | search platzToRepack</P> <P>where <STRONG>process</STRONG> some extracted fields (based on regexp)</P> <P>Please, recommend me some strategies for faster searching</P> Mon, 16 Jul 2018 09:28:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444950#M126198 keekkenen 2018-07-16T09:28:05Z https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444951#M126199 <P>@keekkenen can you add some sample events for process START and process END? Also what is platzToRepack filter? Can it not be added to base search instead of being present after the transaction command?</P> <P>Ideally you can try using stats instead of transaction. There are several examples on Splunk Answers. For example <A href="https://answers.splunk.com/answers/511699/how-to-get-the-number-of-records-of-a-field-and-su.html">https://answers.splunk.com/answers/511699/how-to-get-the-number-of-records-of-a-field-and-su.html</A>.<BR /> However, for your use case please provide more data so that we can provide something more specific.</P> <P>Following is Splunk Documentation for choosing between various event correlation commands in Splunk:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation">http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation</A></P> Mon, 16 Jul 2018 11:37:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444951#M126199 niketn 2018-07-16T11:37:25Z https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444952#M126200 <P>@keekkenen can you add some sample events for process START and process END? Also what is platzToRepack filter? Can it not be added to base search instead of being present after the transaction command?</P> <P>Ideally you can try using stats instead of transaction. There are several examples on Splunk Answers. For example <A href="https://answers.splunk.com/answers/511699/how-to-get-the-number-of-records-of-a-field-and-su.html">https://answers.splunk.com/answers/511699/how-to-get-the-number-of-records-of-a-field-and-su.html</A>.<BR /> However, for your use case please provide more data so that we can provide something more specific.</P> <P>Following is Splunk Documentation for choosing between various event correlation commands in Splunk:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation">http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation</A></P> Mon, 16 Jul 2018 11:37:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444952#M126200 niketn 2018-07-16T11:37:58Z https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444953#M126201 <P>Hi keekkenen,<BR /> the transaction command is a very slow command for its own nature, for this reason it's better to use other solutions, when possible.<BR /> At first, the events in your transaction are only the ones that contain "START" and "END" or there are more events?<BR /> if you want to take only the events that contain "START" and "END", you could use stats command</P> <PRE><CODE>source="wms" (START OR END) | stats values(my_field1) AS my_field1 values(my_field2) AS my_field2 earliest(_time) AS _time | search platzToRepack | table _time my_field1 my_field2 </CODE></PRE> <P>If instead you have a common field, you could run something like this</P> <PRE><CODE>source="wms" common_field=* | stats values(my_field1) AS my_field1 values(my_field2) AS my_field2 earliest(_time) AS _time BY common_field | search platzToRepack | table _time common_field my_field1 my_field2 </CODE></PRE> <P>Otherwise, the only way to improve performances of transaction command is to reduce the time using maxspan option when possible.</P> <P>Bye.<BR /> Giuseppe</P> Mon, 16 Jul 2018 11:41:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444953#M126201 gcusello 2018-07-16T11:41:19Z https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444954#M126202 <P>sample events<BR /> 2018-07-12 21:39:44,979 [WCS-11 ] ice.impl.DbHandlerService$DbWorkerThread INFO START (some process..)<BR /> 2018-07-12 21:39:44,980 [WCS-11 ] .wms.server.manager.nutzer.NutzerManager TRACE about something 1<BR /> 2018-07-12 21:39:44,981 [WCS-11 ] server.manager.system.SystemRolleManager TRACE about something 2<BR /> 2018-07-12 21:39:44,981 [WCS-11 ] g.wms.server.manager.nutzer.RechtManager TRACE about something 3<BR /> 2018-07-12 21:39:44,983 [WCS-11 ] g.wms.server.manager.nutzer.RechtManager TRACE about something etc<BR /> 2018-07-12 21:40:45,973 [WCS-11 ] ice.impl.DbHandlerService$DbWorkerThread INFO END (end process..)</P> <P>I want found transaction by process (for example, WCS-11), where one or more messages contains some word(s) (for example, 'about something' or 'platzToRepack' )</P> Mon, 16 Jul 2018 13:41:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444954#M126202 keekkenen 2018-07-16T13:41:14Z https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444955#M126203 <P>No, events has any content, and I want get a transaction - first event with 'START" word plus all events between it and next event (last event in transaction) with 'END' word (see sample events in post above)</P> Mon, 16 Jul 2018 13:48:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444955#M126203 keekkenen 2018-07-16T13:48:23Z https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444956#M126204 <P>I found few solution for my case, but it work unreal too long..<BR /> for example, in log file by 1 hour period I have about 4 million events, it contains more 98 thousand transactions (there are really fat transactions - may be about 600 events), and, for example, in it transactions only one transaction what I try found</P> <P>for find it transaction need 25 min, for check contains it transaction in events need 4 min, it's really too long<BR /> I found it transaction in total commander more quickly</P> Tue, 17 Jul 2018 15:28:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-accelerate-using-transaction/m-p/444956#M126204 keekkenen 2018-07-17T15:28:30Z