https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238553#M70872 <P>Upgrade to the latest, it should resolve the issue.</P> Thu, 21 Jan 2016 04:24:08 GMT esix_splunk 2016-01-21T04:24:08Z https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238548#M70867 <P>I am grouping events using the transaction command. Sample search which gives expected results below : <BR /> <STRONG>Successful Search:</STRONG> </P> <PRE><CODE>(index=ind1 OR index=ind2) MachineId=1133 (log_text="*sometext1*" OR log_text="*sometext2*" OR log_text="*sometext3*" OR log_text="*sometext4*" OR log_text="*sometext5*" OR log_text="*sometext6*") | transaction startswith="sometext1" endswith="sometext2" mvlist=true | table _time,log_text </CODE></PRE> <P>6 log_texts are transactions events. </P> <P>If I search removing log_text filters, transaction does not work. Sample search below: </P> <P><STRONG>Unsuccessful Search:</STRONG> </P> <PRE><CODE>(index=ind1 OR index=ind2) MachineId=1133 | transaction startswith="sometext1" endswith="sometext2" mvlist=true | table _time,log_text </CODE></PRE> <P>I am unable to understand this. Can someone please explain?</P> Tue, 19 Jan 2016 12:08:52 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238548#M70867 abhinav_maxonic 2016-01-19T12:08:52Z https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238549#M70868 <P>Try this instead to ensure you are only displaying events where the log_text field has a value:</P> <PRE><CODE>(index=ind1 OR index=ind2) MachineId=1133 log_text=* | transaction startswith="sometext1" endswith="sometext2" mvlist=true | table _time,log_text </CODE></PRE> Tue, 19 Jan 2016 13:11:10 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238549#M70868 javiergn 2016-01-19T13:11:10Z https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238550#M70869 <P>Already tried. This is also not working. </P> Wed, 20 Jan 2016 06:50:49 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238550#M70869 abhinav_maxonic 2016-01-20T06:50:49Z https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238551#M70870 <P>What version of Splunk are you using? There is a bug in 6.3 regarding the transaction command. (SPL-107742) This was resolved in 6.3.2..</P> Wed, 20 Jan 2016 07:31:27 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238551#M70870 esix_splunk 2016-01-20T07:31:27Z https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238552#M70871 <P>I am using Splunk 6.3.0 . So will it work fine in 6.3.2 ?</P> Thu, 21 Jan 2016 04:21:40 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238552#M70871 abhinav_maxonic 2016-01-21T04:21:40Z https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238553#M70872 <P>Upgrade to the latest, it should resolve the issue.</P> Thu, 21 Jan 2016 04:24:08 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238553#M70872 esix_splunk 2016-01-21T04:24:08Z https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238554#M70873 <P>Ok. I'll try that. </P> Thu, 21 Jan 2016 05:18:23 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238554#M70873 abhinav_maxonic 2016-01-21T05:18:23Z https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238555#M70874 <P>Upgrading didn't worked .. Still not getting results. Now using splunk 6.3.2 . Any other suggestion ? or any other possibility or reason, why its not working ..</P> Thu, 21 Jan 2016 06:44:15 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238555#M70874 abhinav_maxonic 2016-01-21T06:44:15Z https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238556#M70875 <P>OK, without knowing what sometext is I would try the following and see if that works:</P> <PRE><CODE>(index=ind1 OR index=ind2) MachineId=1133 log_text=* | fields _time, log_text | transaction startswith=eval(match(log_text, "sometext1")) endswith=eval(match(log_text, "sometext2")) mvlist=true | table _time, log_text </CODE></PRE> <P>Note the difference in the startswith and endswith filters.</P> Thu, 21 Jan 2016 10:09:40 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-Command-startswith-endswith-not-working-without/m-p/238556#M70875 javiergn 2016-01-21T10:09:40Z