https://community.splunk.com/t5/Splunk-Search/Transaction-not-providing-all-events-in-target-range/m-p/161498#M45674 <P>Howdy:<BR /> I'm a new Splunker so this may be a dumb question. I have looked around splunk&gt;Answers and couldn't find a solution to my problem, So here it goes. Using Splunk Enterprise 6.1.2 on Mac OS X.</P> <P>transactiontypes.conf has this definition:</P> <P>[aaRegistration]<BR /> maxspan = 2h<BR /> maxpause = 2h<BR /> maxevents = 10000<BR /> unifyends = t<BR /> fields = _time, host, _raw<BR /> startswith = "::aaRegistration"<BR /> endswith = "aa"</P> <P>The indexed events already loaded into Splunk look like this:<BR /> ...<BR /> <DATESTAMP> aaRegistration<BR /> ...<BR /> ... events during “aaRegistration” phase, all with datestamp<BR /> ...<BR /> <DATESTAMP> aaCalibration<BR /> ..<BR /> .... events during “aaCalibration” phase, all with datestamp<BR /> ...<BR /> <DATESTAMP> aaInfo<BR /> ...<BR /> ... events during “aaInfo” phase<BR /> ...<BR /> <DATESTAMP> aaMarks<BR /> ...<BR /> ... events during “aaMarks” phase, all with datestamp<BR /> ...</DATESTAMP></DATESTAMP></DATESTAMP></DATESTAMP></P> <P>When I search with this:<BR /> host=hostA sourcetype="typeB" earliest="05/02/2014:00:00:00" latest="05/03/2014:00:00:00" | transaction name=aaRegistration</P> <P>The result does show the one event that starts the transaction. But I do not get any of the events between the start and the end, just a single event.</P> <P>Question: what do I need to change to be able to see a list of <EM>all</EM> events that occurred between the start and the end of the “aaRegistration” phase?</P> <P>Pointers appreciated. Thanks.</P> Tue, 29 Jul 2014 14:59:38 GMT jlacal 2014-07-29T14:59:38Z https://community.splunk.com/t5/Splunk-Search/Transaction-not-providing-all-events-in-target-range/m-p/161498#M45674 <P>Howdy:<BR /> I'm a new Splunker so this may be a dumb question. I have looked around splunk&gt;Answers and couldn't find a solution to my problem, So here it goes. Using Splunk Enterprise 6.1.2 on Mac OS X.</P> <P>transactiontypes.conf has this definition:</P> <P>[aaRegistration]<BR /> maxspan = 2h<BR /> maxpause = 2h<BR /> maxevents = 10000<BR /> unifyends = t<BR /> fields = _time, host, _raw<BR /> startswith = "::aaRegistration"<BR /> endswith = "aa"</P> <P>The indexed events already loaded into Splunk look like this:<BR /> ...<BR /> <DATESTAMP> aaRegistration<BR /> ...<BR /> ... events during “aaRegistration” phase, all with datestamp<BR /> ...<BR /> <DATESTAMP> aaCalibration<BR /> ..<BR /> .... events during “aaCalibration” phase, all with datestamp<BR /> ...<BR /> <DATESTAMP> aaInfo<BR /> ...<BR /> ... events during “aaInfo” phase<BR /> ...<BR /> <DATESTAMP> aaMarks<BR /> ...<BR /> ... events during “aaMarks” phase, all with datestamp<BR /> ...</DATESTAMP></DATESTAMP></DATESTAMP></DATESTAMP></P> <P>When I search with this:<BR /> host=hostA sourcetype="typeB" earliest="05/02/2014:00:00:00" latest="05/03/2014:00:00:00" | transaction name=aaRegistration</P> <P>The result does show the one event that starts the transaction. But I do not get any of the events between the start and the end, just a single event.</P> <P>Question: what do I need to change to be able to see a list of <EM>all</EM> events that occurred between the start and the end of the “aaRegistration” phase?</P> <P>Pointers appreciated. Thanks.</P> Tue, 29 Jul 2014 14:59:38 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-not-providing-all-events-in-target-range/m-p/161498#M45674 jlacal 2014-07-29T14:59:38Z https://community.splunk.com/t5/Splunk-Search/Transaction-not-providing-all-events-in-target-range/m-p/161499#M45675 <P>Hello:<BR /> Not really answering my own question but just posting this as it may be useful to others facing the same issue.</P> <P>"You have to have a common field to match on for the transaction command"<BR /> From: <A href="http://answers.splunk.com/answers/91742/grouping-of-similar-events">http://answers.splunk.com/answers/91742/grouping-of-similar-events</A></P> <P>It looks like I may need to create a new field to use for the "transaction" to group on.<BR /> Using my example above, I may need to add a new field (let's call it "phase_name") that describes which "phase" of the program each event belongs to.</P> <P>For example:<BR /> <DATESTAMP> aaRegistration<BR /> ...<BR /> ... events during “aaRegistration” phase, all with datestamp<BR /> ...<BR /> <DATESTAMP> aaCalibration</DATESTAMP></DATESTAMP></P> <P>I may need to add a new field where all events after<BR /> <DATESTAMP> aaRegistration<BR /> have "phase_name" = "aaRegistration"</DATESTAMP></P> <P>Then I may (hopefully) be able to retrieve the "aaRegistration" transaction by using the "phase_name" field.</P> Wed, 30 Jul 2014 15:40:23 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-not-providing-all-events-in-target-range/m-p/161499#M45675 jlacal 2014-07-30T15:40:23Z