topic How does the pairing work in a transaction? in Splunk Search

How does the pairing work in a transaction?

danielbb — Tue, 10 Sep 2019 17:10:55 GMT

This one relates to How can we deal with a negation of a transaction?

We have this code -

 (index=wineventlog  OR 
 (index=checkpoint action=Accept) 
 | eval destination_ip = coalesce(Source_Network_Address,dest_ip) 
 | eval action-{index}= action 
 | eval src-{index}= src 
 | transaction destination_ip maxspan=60s startswith=action-checkpoint="Accept" endswith=action-wineventlog="success" keeporphans=1 unifyends=1 
 | search src-wineventlog = * AND src-checkpoint = * 
 | lookup(s) ....
 | table <fields>

We end up with one event from checkpoint bound in the transaction to one event from wineventlog. Meaning, each transaction is of two events from the two indexes. However, we realize that for one event from checkpoint, there are 12 possible candidates from wineventlog. All these 12 events stratify the criteria. So, how does the transaction command pick one of these 12 events? Is there logic for the choice?

Re: How does the pairing work in a transaction?

diogofgm — Wed, 30 Sep 2020 02:06:25 GMT

Splunk will use the first action-checkpoint="Accept" for an destination_ip and pair it with whatever data it finds in between using the same destination_ip till the first action-wineventlog="success" with that same destination_ip
in your case after 60s if it doesn't find a action-wineventlog="success"it will consider it an orphan transaction. The logic here is time based.

If you want to check all the end possibilities consider using |stats instead of |transaction. Not only you can probably accomplish the same task, but you'll get way better performance doing it.

Re: How does the pairing work in a transaction?

danielbb — Tue, 10 Sep 2019 17:27:24 GMT

It does make sense.