https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157385#M185804 <P>Got it. Thanks!</P> Wed, 27 Nov 2013 17:11:33 GMT Craigrow 2013-11-27T17:11:33Z https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157383#M185802 <P>I have a log which is tracking objects as they get moved around by a state machine. The log records a timestamp, the GUID of the object that was moved and the to and from states for the object. </P> <P>When the state machine moves object to state=foo, this is the beginning of the transaction I want to see. Then the object will then cycle between states foo and bar for some time. Eventually they leave state=foo and go to a state other than foo or bar. That is the end of the transaction. </P> <P>This is the search that I wrote. When I look at these transactions I'm not seeing what I expected. Am I doing this correctly?</P> <P>transaction ObjectGUID startswith(ToState=foo AND FromState!=bar) endswith(FromState=foo AND ToState!=bar)</P> Tue, 26 Nov 2013 22:44:43 GMT https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157383#M185802 Craigrow 2013-11-26T22:44:43Z https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157384#M185803 <P>You're missing equal signs. <CODE>startswith</CODE> and <CODE>endswith</CODE> options need to be followed by <CODE>=</CODE></P> <P>Example dataset: </P> <P><CODE>Tue Nov 26 19:25:51 EST 2013 ToState=foo FromState=qux objectGUID=abc<BR /> Tue Nov 26 19:25:52 EST 2013 ToState=bar objectGUID=abc<BR /> Tue Nov 26 19:25:53 EST 2013 ToState=foo objectGUID=abc<BR /> Tue Nov 26 19:25:54 EST 2013 ToState=bar objectGUID=abc<BR /> Tue Nov 26 19:25:55 EST 2013 ToState=foo objectGUID=abc<BR /> Tue Nov 26 19:25:56 EST 2013 ToState=baz FromState=foo objectGUID=abc<BR /> Tue Nov 26 19:25:57 EST 2013 ToState=qux objectGUID=abc<BR /> Tue Nov 26 19:25:58 EST 2013 ToState=baz objectGUID=abc<BR /> Tue Nov 26 19:25:59 EST 2013 ToState=qux objectGUID=abc<BR /> Tue Nov 26 19:26:00 EST 2013 ToState=baz objectGUID=abc<BR /> Tue Nov 26 19:26:01 EST 2013 ToState=qux objectGUID=abc<BR /> Tue Nov 26 19:26:02 EST 2013 ToState=baz objectGUID=abc</CODE></P> <P><CODE>index=main | transaction objectGUID startswith=(ToState=foo AND FromState!=bar) endswith=(FromState=foo AND ToState!=bar)</CODE></P> <P>Results: </P> <P><CODE>Tue Nov 26 19:25:51 EST 2013 ToState=foo FromState=qux objectGUID=abc <BR /> Tue Nov 26 19:25:52 EST 2013 ToState=bar objectGUID=abc <BR /> Tue Nov 26 19:25:53 EST 2013 ToState=foo objectGUID=abc <BR /> Tue Nov 26 19:25:54 EST 2013 ToState=bar objectGUID=abc <BR /> Tue Nov 26 19:25:55 EST 2013 ToState=foo objectGUID=abc<BR /> Tue Nov 26 19:25:56 EST 2013 ToState=baz FromState=foo objectGUID=abc</CODE></P> Wed, 27 Nov 2013 00:41:33 GMT https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157384#M185803 _d_ 2013-11-27T00:41:33Z https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157385#M185804 <P>Got it. Thanks!</P> Wed, 27 Nov 2013 17:11:33 GMT https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157385#M185804 Craigrow 2013-11-27T17:11:33Z https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157386#M185805 <P>Got it. Thanks!</P> Wed, 27 Nov 2013 17:11:50 GMT https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157386#M185805 Craigrow 2013-11-27T17:11:50Z https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157387#M185806 <P>Hi Craig, it your question was answered, please check the "accept" icon, it will help the other user to find useful information and reward the person that answered.</P> Fri, 29 Nov 2013 01:25:03 GMT https://community.splunk.com/t5/Splunk-Search/Am-I-using-the-transaction-command-correctly/m-p/157387#M185806 yannK 2013-11-29T01:25:03Z