topic Re: Transaction failures in Splunk Search

Transaction failures

twinspop — Wed, 16 Jun 2010 01:17:00 GMT

Trying to get a transaction search to work. The transaction is logged in 2 different log sources, with the matching field named differently in each. I use rename to match them up. The DXI events have CORRELATIONID, the sendMessage events have msgid.

I manually found 1 that I know exists and searched for its GUID explicitly, along with the 2 identifiers I'll use in the generic search, and piped them into transaction. The maxspan is 130m because the test transaction takes about 123m to complete.

(DXI OR sendMessage) 652F5692-5F3F-3434-F47B-180BA1CBDDEF | rename CORRELATIONID as msgid | transaction msgid keepevicted=true maxspan=130m

1 transaction returned with an eventcount of 2. Exactly the result I expected. Now let's remove the GUID and see all of them:

DXI OR sendMessage | rename CORRELATIONID as msgid | transaction msgid keepevicted=true maxspan=130m

Nope. Not even the test case above is matched. Same time frame searched. What am I missing? There are ~ 90k msgid matches in the target time frame. Too many to run a transaction against with defaults limits set?

Thanks

Re: Transaction failures

gkanapathy — Wed, 16 Jun 2010 02:42:18 GMT

Yes. Try setting the maxopentxn parameter as a transaction argument. By default, it will only leave open 5000 transactions. Feel free to raise it to several hundred thousand or higher. You might also want to raise maxopenevents.

Also, if you just want the eventcount or some other fields in the events, rather than the full event, use stats:

 ... | stats count as evencount, max(_time) as endtime, min(_time) as starttime, first(otherfield) as otherfield by msgid

I'm assuming that since msgids are GUIDs, the maxspan doesn't matter at all, and could be infinite.

Re: Transaction failures

twinspop — Wed, 16 Jun 2010 03:47:53 GMT

Excellent. Thanks.