https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115110#M30450 <P>Your RegEx will never match (even if <CODE>url</CODE> has <CODE>http://</CODE> removed). To make it match, use something like this:</P> <PRE><CODE> index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"\w+\.\w+\?") </CODE></PRE> Thu, 09 Jul 2015 19:56:29 GMT woodcock 2015-07-09T19:56:29Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115106#M30446 <P>I need to find a sequence of activity that always start with:<BR /> <A href="http://abc.com/abc.html">http://abc.com/abc.html</A><BR /> <A href="http://abc.com/end.xvz">http://abc.com/end.xvz</A>?....</P> <P>so I tried to uses this search query:</P> <PRE><CODE>index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"^\/\w+\.\w+") </CODE></PRE> <P>However, the return result is 0 event.</P> <P>Is there anyway that I can refine it?</P> <P>Thank you so much</P> Thu, 09 Jul 2015 18:08:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115106#M30446 phudinhha 2015-07-09T18:08:09Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115107#M30447 <P>Dear woodcock,<BR /> The return result is 0 event. However, when i omit the "endswith" part, the expected "end.xvz?...." also shows in the event tab as a part of "/abc.html" event. What does it mean?</P> Thu, 09 Jul 2015 19:22:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115107#M30447 phudinhha 2015-07-09T19:22:26Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115108#M30448 <P>Try this:</P> <PRE><CODE> index=sourceindex | rex field=url "(?&lt;url_front&gt;[^\?]*)\/(?&lt;url_back&gt;.*)" | transaction url_front maxspan=30s endswith=eval(match(url_back,"end.xyz")) </CODE></PRE> <P>Actually, you may not even need the <CODE>endswith</CODE> part (which I know is wrong because I don't know what you are trying to match exactly).</P> Thu, 09 Jul 2015 19:33:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115108#M30448 woodcock 2015-07-09T19:33:24Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115109#M30449 <P>I recognized the pattern in network activities like this.</P> <P><A href="http://123.com/abc.html">http://123.com/abc.html</A><BR /> <A href="http://123.com/end.xvz">http://123.com/end.xvz</A>?....</P> <P>AND</P> <P><A href="http://456.com/abc.html">http://456.com/abc.html</A><BR /> <A href="http://456.com/quiz.one">http://456.com/quiz.one</A>?...</P> <P>So I want to use transaction to look for a sequence of activity that starts with "abc.html" and ends with ""^/w+.w+".</P> Thu, 09 Jul 2015 19:52:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115109#M30449 phudinhha 2015-07-09T19:52:32Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115110#M30450 <P>Your RegEx will never match (even if <CODE>url</CODE> has <CODE>http://</CODE> removed). To make it match, use something like this:</P> <PRE><CODE> index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"\w+\.\w+\?") </CODE></PRE> Thu, 09 Jul 2015 19:56:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-transaction-search-where-startswith-starts-with/m-p/115110#M30450 woodcock 2015-07-09T19:56:29Z