https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498914#M138975 <P>Hi does anyone know is there is a way for transaction starts with ends with take the middle result Example, i have transaction DESCRIPTION startswith = VALUE = “RUN” endswith =VALUE=“STOP”</P> <P>In my data there is RUN,STOP,RUN,RUN,RUN,STOP,RUN,STOP,STOP,RUN,STOP.</P> <P>Apparently the Transaction command works with RUN,STOP but if there is RUN,RUN,RUN,STOP it will only take the last part of the RUN,STOP. </P> <P>Does anyone know a way it can get information from RUN,....,....,STOP , and also RUN,STOP,STOP it will get RUN,....,STOP</P> <P>I hope you all understand what i meant.</P> Mon, 23 Mar 2020 03:11:24 GMT chookp 2020-03-23T03:11:24Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498914#M138975 <P>Hi does anyone know is there is a way for transaction starts with ends with take the middle result Example, i have transaction DESCRIPTION startswith = VALUE = “RUN” endswith =VALUE=“STOP”</P> <P>In my data there is RUN,STOP,RUN,RUN,RUN,STOP,RUN,STOP,STOP,RUN,STOP.</P> <P>Apparently the Transaction command works with RUN,STOP but if there is RUN,RUN,RUN,STOP it will only take the last part of the RUN,STOP. </P> <P>Does anyone know a way it can get information from RUN,....,....,STOP , and also RUN,STOP,STOP it will get RUN,....,STOP</P> <P>I hope you all understand what i meant.</P> Mon, 23 Mar 2020 03:11:24 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498914#M138975 chookp 2020-03-23T03:11:24Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498915#M138976 <P>@chookp post a couple of sample events to assist. </P> Thu, 26 Mar 2020 04:13:34 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498915#M138976 anmolpatel 2020-03-26T04:13:34Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498916#M138977 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8564iC8D20F06CB23EF69/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>hi above is the sample of my event using the transaction to get each of my pump rum and stop duration, my issue is when there is a run run stop event it will take the latest run and first stop. <BR /> below show my full list of event i did a MVindex so that you are able to see the full run stop event with the time.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8565i44856694AB2C45E1/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>the first picture show my transaction command which i did the information i circle is where i spot the error where it fail to detect my first "RUN". the second picture shows the full list of the event the part where i put a "?" is the missing infomation and the arrow pointing to it is the wrong RUN.</P> <P>so i would like to check is there a way to allow the transaction to take in the First "RUN" and first "Stop" that it sees or is there other command which i can compare the next value such that if its a RUN i can change the value of something, i hope this clarify my doubt thanks ..</P> Thu, 26 Mar 2020 07:32:05 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498916#M138977 chookp 2020-03-26T07:32:05Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498917#M138978 <P>What does the transaction command that's producing these results look like?</P> Thu, 26 Mar 2020 14:42:55 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498917#M138978 rmmiller 2020-03-26T14:42:55Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498918#M138979 <P>Ditch <CODE>transaction</CODE>; it is overkill and does not scale well. Try this instead:</P> <PRE><CODE>... | streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME | stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME </CODE></PRE> Thu, 26 Mar 2020 16:29:55 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498918#M138979 woodcock 2020-03-26T16:29:55Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498919#M138980 <P>Transaction ASSET_NAME startswith =VALUE=“RUN” endswith = VALUE=“STOP”</P> Fri, 27 Mar 2020 03:48:31 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498919#M138980 chookp 2020-03-27T03:48:31Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498920#M138981 <P>Transaction ASSET_NAME startswith =VALUE=“RUN” endswith = VALUE=“STOP”</P> Fri, 27 Mar 2020 03:48:54 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498920#M138981 chookp 2020-03-27T03:48:54Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498921#M138982 <PRE><CODE>... | reverse | streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME | stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME </CODE></PRE> <P>transaction can use <CODE>eval</CODE> , you can make condition other <CODE>startswith</CODE> and <CODE>endswith</CODE><BR /> but I recommend <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1406">@woodcock</a> solution.</P> <P>This query <CODE>streamstats</CODE> is group by ASSET_NAME till <EM>VALUE="STOP"</EM><BR /> Isn't this same as <CODE>transaction</CODE>?</P> <P>If you need <CODE>duration</CODE> and <CODE>linecount</CODE> , try <CODE>range()</CODE> and <CODE>count</CODE> with <CODE>stats</CODE>.</P> <P>why do I add <CODE>reverse</CODE>? The new event is on the top by default.<BR /> <CODE>streamstats</CODE> works from top. need <CODE>reverse</CODE> OR <CODE>sort 0 _time</CODE></P> Wed, 30 Sep 2020 04:44:22 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498921#M138982 to4kawa 2020-09-30T04:44:22Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498922#M138983 <P>Hi thanks for the help, i had tried the command it works well enough...but the problem is my field VALUE inside have “run,stop,normal,low,inconsistencies...etc” alot of different value, what i need is only from the first run to the first stop. Using your command they are adding the duration which I don’t need example the normal,low ,etc VALUE. Is there a way to just get RUN to STOP?</P> Mon, 30 Mar 2020 08:18:46 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498922#M138983 chookp 2020-03-30T08:18:46Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498923#M138984 <P><CODE>In my data there is RUN,STOP,RUN,RUN,RUN,STOP,RUN,STOP,STOP,RUN,STOP.</CODE><BR /> only first RUN and STOP?</P> Mon, 30 Mar 2020 09:04:13 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498923#M138984 to4kawa 2020-03-30T09:04:13Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498924#M138985 <P>Sure, just add this to the foundational search and keep the rest the same:</P> <PRE><CODE>... AND (VALUE="RUN" OR VALUE="STOP") ... </CODE></PRE> Mon, 30 Mar 2020 19:50:13 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498924#M138985 woodcock 2020-03-30T19:50:13Z https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498925#M138986 <P>thanks everything works nicely now <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 01 Apr 2020 02:47:37 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-starts-with-ends-with/m-p/498925#M138986 chookp 2020-04-01T02:47:37Z