topic Re: why a transaction is still formed when it does not satisfy the "startswith" or "endswith" criteria in Splunk Search

why a transaction is still formed when it does not satisfy the "startswith" or "endswith" criteria

myli12 — Tue, 13 Mar 2012 21:28:56 GMT

I constructed transactions with "startswith" and "endswith" and I am trying to identify those incomplete transactions by using keepevicted=true. I would expect those incomplete transactions should have either "startwith" condition/event or "endswith" condition/event. I found that the splunk outputs some transactions that satisfy neither "startwith" nor "endswith" condition/event.

For example, the following search string

"A" "B" "C" "D" "E" | dedup _raw | transaction startswith ="A" endswith="B" keepevicted=true | NOT "A" AND NOT "B"

gives me one or two transactions. Since the transactions do not match my startswith or endswith criteria, I am just wondering why/how they are generated as transactions.

Re: why a transaction is still formed when it does not satisfy the "startswith" or "endswith" criteria

gkanapathy — Tue, 13 Mar 2012 22:15:46 GMT

keep_evicted keeps transactions that do not meet the criteria, but just marks them with a closed_txn value of 0.

Re: why a transaction is still formed when it does not satisfy the "startswith" or "endswith" criteria

myli12 — Tue, 13 Mar 2012 22:28:27 GMT

I understand keep_evicted = true keeps the incomplete transactios that do not satisfy all the transaction conditions, in my case, do not satisfy Both startswith AND endswith. However, It should satisfy either. My question is why there are transactions formed when not meeting Either startswith OR endswith condition?

Re: why a transaction is still formed when it does not satisfy the "startswith" or "endswith" criteria

ak — Wed, 30 May 2012 18:23:39 GMT

have you tried using unifyends=t as an option for your transaction command?