https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164847#M46816 <P>yes you can.</P> Sat, 25 Apr 2015 08:49:17 GMT fdi01 2015-04-25T08:49:17Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164839#M46808 <P>Hi,</P> <P>I need small help from you, I am calculating duration of each transaction of on userid.</P> <P>My query:</P> <P>index=A sourcetype=B host=ABC | rex field=_raw "-R(?.*)-I" | rex field=_raw "status<A href="https://community.splunk.com/?.*" target="_blank">\s</A>" |transaction DID maxevents=10000 startswith="Beginning session" endswith="Ending session" | convert ctime(_time) as time |eval endtime= _time+duration |convert ctime(endtime) as Endtime| eval hour=strftime(_time, "%H")|eval status=if(result="0","Success", "Error") | table DID time Endtime duration Project host result status hour </P> <P>the above query is giving correct results only, but there is some transactions which is not having 'Ending session', for some transaction there is no 'Beginning and ending session'. I know that where the beginning and end session are not there were incomplete transactions and their status is error. but I am not getting those DIDs in my output, I am getting only where Beginning and ending session DIDs. </P> <P>Pl help me to do this</P> <P>here is some sample logs which not having beginning and ending sessions </P> <P>Logs:<BR /> 1. <STRONG>No Ending session but having 3-4 log lines</STRONG><BR /> 117,20150418 05:09:42.860,155,32,MIV,1615241 - 0xc64,-P -R6801ddbc-1528-472f-805a-d9645c4ffa0c -I351 Beginning session<BR /> 208,20150418 05:10:18.111,155,32,MIV,1615241 - 0xc64,-PC2BBD -R6801ddbc-1528-472f-805a-d9645c4ffa0c -I351 Processed package bc7f579a-6a59-495f-b23e-059ea49e963c from client 6801ddbc-1528-472f-805a-d9645c4ffa0c<BR /> 208,20150418 05:12:21.193,155,32,MIV,1615241 - 0xc64,-PCX2J6 -R6801ddbc-1528-472f-805a-d9645c4ffa0c -I351 Processed package deca35af-62f4-4db4-8fa5-ff01784f085d from client 6801ddbc-1528-472f-805a-d9645c4ffa0c </P> <OL> <LI><P><STRONG>No ending session with one log line</STRONG><BR /> 118,20150418 09:52:10.058,155,32,MIV,1634745 - 0x1aac,-P -Rbde65047-6274-4fbf-98bd-b8593b014dd9 -I152 Beginning session</P></LI> <LI><P><STRONG>For some dids there is no beginning session and endining session as per logs its starting with ‘session does not exist’</STRONG></P></LI> </OL> <P>277,20150414 14:15:56.227,155,4,MIV,1333626 - 0x13a4,-P -R -I Session does not exist for 2dd0b5a3-bcbe-428f-b8b0-23aefc96e0a4<BR /> 268,20150414 14:08:53.198,155,4,MIV,1333626 - 0x13a4,-P -R -I Session does not exist for 9edb5b57-85f1-47c6-a3e3-62ebf5767990</P> <P>Thanks in advance</P> Mon, 28 Sep 2020 19:40:20 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164839#M46808 Laya123 2020-09-28T19:40:20Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164840#M46809 <P>I think you would like to keep include events that dont match the transaction command. You can add the 'keepevicted=true' flag to your transaction command in search. Then all of your events will have a 'closed_txn' field which is boolean 0 or 1 depending if the transaction is complete or not. From there you can look at non-closed transaction events and decide what to do..</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction">http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction</A></P> Fri, 24 Apr 2015 04:54:25 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164840#M46809 esix_splunk 2015-04-24T04:54:25Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164841#M46810 <P>Hi,</P> <P>Thanks for your immediate response,</P> <P>I tried keepevicted and close_txn but i didnt get the results what i expected. May be I am using these 2 commands in wrong place, If you dont mind can you please tell me where I can use these 2 commands with a small example</P> <P>thank you so much</P> <P>Regards</P> Fri, 24 Apr 2015 05:13:56 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164841#M46810 Laya123 2015-04-24T05:13:56Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164842#M46811 <P>Refer to the docs for syntax : <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction">http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction</A></P> <P>... | transaction keepevicted=true ....</P> <P>After that, you will have a new field called closed_txn. Filter your results based on the values of that field and see how your results look. </P> Fri, 24 Apr 2015 05:19:25 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164842#M46811 esix_splunk 2015-04-24T05:19:25Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164843#M46812 <P>Thank you so much, I will try this and let you know </P> Fri, 24 Apr 2015 05:25:42 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164843#M46812 Laya123 2015-04-24T05:25:42Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164844#M46813 <P>Hi, </P> <P>I tried keepevicted =true but no luck. Pl suggest me is there any other way to do this</P> <P>Thanks &amp; Regards</P> Fri, 24 Apr 2015 13:43:48 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164844#M46813 Laya123 2015-04-24T13:43:48Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164845#M46814 <P>for :<BR /> <STRONG>No Ending session but having 3-4 log lines</STRONG> try like this:</P> <PRE><CODE> ...|transaction DID maxevents=10000 startswith="Beginning session" |... </CODE></PRE> <P><STRONG>For some dids there is no beginning session and endining session as per logs its starting with ‘session does not exist’</STRONG><BR /> try like this:</P> <PRE><CODE> ...|transaction "Session does not exist" maxevents=10000|... </CODE></PRE> <P>or </P> <P>you can use this transaction option <CODE>keeporphans=true</CODE><BR /> because it Specify whether the transaction command should output the results that are not part of any transactions. The results that are passed through as "orphans" are distinguished from transaction events with a _txn_orphan field, which has a value of 1 for orphan results. Defaults to false.</P> Mon, 28 Sep 2020 19:40:28 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164845#M46814 fdi01 2020-09-28T19:40:28Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164846#M46815 <P>Hi,</P> <P>Thank you for your response,</P> <P>It means you want me to use two transactions in one search</P> <P>Regards</P> Fri, 24 Apr 2015 14:59:54 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164846#M46815 Laya123 2015-04-24T14:59:54Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164847#M46816 <P>yes you can.</P> Sat, 25 Apr 2015 08:49:17 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164847#M46816 fdi01 2015-04-25T08:49:17Z https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164848#M46817 <P>as per your suggestion i have taken two transactions but its giving error.</P> Mon, 27 Apr 2015 13:26:59 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-incomplete-transactions/m-p/164848#M46817 Laya123 2015-04-27T13:26:59Z