topic Re: Unable to get the open transactions whose events match the startsWith clause only in Splunk Search

Unable to get the open transactions whose events match the startsWith clause only

Krishna_R — Fri, 11 Jun 2010 04:45:53 GMT

I'm unable to list the transactions that have events matching with startWith clause but no events for endsWith clause (I'm using the keepevicted=t option aswell). I have a simplified file with only one event to test this:

2010-05-21 09:25:00 : (2314) : Calling function fetchTask

The query:

| rex field=message "Calling function (?<repFunction>.[a-zA-Z]+)" | rex field=message "Completed calling function (?<repFunction>.[a-zA-Z]+)"  | transaction thread_name repFunction startsWith=(message="Calling function*") endsWith=(message="Completed calling function*") keepevicted=t

Results:0

If I add the endsWith event as below, then I get the closed transaction result as expected.

2010-05-21 09:25:03 : (2314) : Completed calling function fetchTask

I'm not sure if I've missed anything here. Any pointers to list the open transaction would be appreciated.

Thanks, Krishna R

props.conf:

EXTRACT-serviceLog2 = \s:\s\((?P<thread_name>[^ ]*)\)\s:\s(?P<message>[^\r\n]*)

Re: Unable to get the open transactions whose events match the startsWith clause only

Lowell — Fri, 11 Jun 2010 21:17:49 GMT

Have you tried using startswith and endswith (all lowercase)? I'm not sure if that matters, but it's worth a try.

Re: Unable to get the open transactions whose events match the startsWith clause only

Lowell — Fri, 11 Jun 2010 21:28:45 GMT

Have you tried letting off the endswith message then building your own complete/not-complete field with an eval.

Try something like this:

| rex field=message " function (?<repFunction>.[a-zA-Z]+)" | transaction thread_name repFunction startswith=(message="Calling function*") keepevicted=t | eval my_close_txn=searchmatch("Completed",1,0)

Re: Unable to get the open transactions whose events match the startsWith clause only

Krishna_R — Sat, 12 Jun 2010 00:27:35 GMT

Hi Lowell,

dropping endswith didn't help (I tried the exact one you pasted) resulted 0 transactions.
i added keepevicted=t, it returned 1 transaction but closed_txn was 1. (I expected it to be 0 - to mark the transaction as open)

Re: Unable to get the open transactions whose events match the startsWith clause only

Krishna_R — Sat, 12 Jun 2010 00:28:05 GMT

Yes. I tried lowercase but there is no difference 🙂

Re: Unable to get the open transactions whose events match the startsWith clause only

Krishna_R — Sat, 12 Jun 2010 01:15:55 GMT

btw, those open transactions that match the endswith clause only (no events to match with startswith cluase) are shown in results as expected - in my original query.

Re: Unable to get the open transactions whose events match the startsWith clause only

Ledion_Bitincka — Sat, 12 Jun 2010 05:01:25 GMT

This is an outstanding issue (SPL-31786) scheduled to be fixed in our next maintenance release (4.1.4)

In the meantime the following search will identify incomplete transactions:

... | rex field=message " function (?<repFunction>.[a-zA-Z]+)" | transaction thread_name repFunction startswith=(message="Calling function*") keepevicted=t | search NOT message="Completed calling function*"

Re: Unable to get the open transactions whose events match the startsWith clause only

Krishna_R — Sun, 13 Jun 2010 22:27:33 GMT

Thanks for this info! I will try other ways like you have adviced.

Re: Unable to get the open transactions whose events match the startsWith clause only

dskillman — Sat, 19 Jun 2010 01:06:58 GMT

This search "kind of" works. How would you report on a given period of time's open transactions? Using timechart with a span=1 and looking for eventcount=1 doens't seem to match.

Re: Unable to get the open transactions whose events match the startsWith clause only

Ledion_Bitincka — Fri, 02 Jul 2010 00:58:45 GMT

I'm not sure I understand what you're trying to do, can you please elaborate a bit more ?