topic Re: What are transaction evicted and orphaned events? in Splunk Search

What are transaction evicted and orphaned events?

frbuser — Thu, 26 Mar 2020 19:18:59 GMT

In regards to the transaction command, what are orphaned events and evicted events?

Is there a way to filter out logs which were not combined with other logs after using the transaction command?

Re: What are transaction evicted and orphaned events?

vnakra_splunk — Thu, 26 Mar 2020 19:30:35 GMT

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction - describes orphans and evictions.

Re: What are transaction evicted and orphaned events?

frbuser — Thu, 26 Mar 2020 20:27:57 GMT

it's not clear from this what they are. It only tells you how to keep them. Orphans sounds like events that aren't in transactions. But it's not clear under what circumstances this happens.

Re: What are transaction evicted and orphaned events?

to4kawa — Fri, 27 Mar 2020 22:12:27 GMT

index=_internal sourcetype=splunkd earliest=-5m
| transaction group keeporphans=f

keeporphans controls there is transaction group OR not. try and see the result with keeporphans=f and keeporphans=t
keepevicted controls events outside the range specified by options.

see The 'closed_txn' field is set to '1' if one of the following conditions is met: maxevents, maxpause, maxspan, startswith. For startswith, because the transaction command sees events in reverse time order, it closes a transaction when it satisfies the start condition.
sorry, I can't create example.

Re: What are transaction evicted and orphaned events?

frbuser — Mon, 30 Mar 2020 13:53:22 GMT

so keeporphans will keep logs that were NOT grouped together in the results?

Re: What are transaction evicted and orphaned events?

to4kawa — Mon, 30 Mar 2020 17:19:40 GMT

do you check true or false?

Re: What are transaction evicted and orphaned events?

frbuser — Mon, 30 Mar 2020 17:39:27 GMT

yes I still see events that show up in the results where linecount=1. So that still doesn't answer my Q as it seems events which have not been grouped still show up in the results whether true or false.

Re: What are transaction evicted and orphaned events?

to4kawa — Mon, 30 Mar 2020 17:52:14 GMT

keeporphans
true : linecount=1 counts 175
false: linecount=1 count 2

this is my results. maybe, yours too.
keeporphans controls there is transaction group OR not.
sorry, My english may be a bit strange.

Re: What are transaction evicted and orphaned events?

frbuser — Mon, 30 Mar 2020 18:14:26 GMT

in my case, the results are the same, meaning I get the same number of events regardless of if keeporphans is true or false. I am only using transaction on one field.

How are you defining a "transaction group"?

Re: What are transaction evicted and orphaned events?

to4kawa — Mon, 30 Mar 2020 19:00:18 GMT

 index=_internal sourcetype=splunkd earliest=-5m
 | transaction group keeporphans=f

In sourcetype=splunkd event, There may or may not be the group field.
If there is not group field. keeporphans=f can't display events .
but keeporphans=t , it can display events.

Re: What are transaction evicted and orphaned events?

frbuser — Mon, 30 Mar 2020 19:08:01 GMT

OK so the way I would describe that is orphaned events are logs which don't contain the transaction field(s).

Do you know how to filter out the events that weren't combined other than using linecount>2?

Re: What are transaction evicted and orphaned events?

to4kawa — Mon, 30 Mar 2020 19:29:40 GMT

there is many ways.

Re: What are transaction evicted and orphaned events?

frbuser — Mon, 30 Mar 2020 20:06:20 GMT

there are* many ways.