Hi.
I would like to unterstand why Splunk does not close a transaction with only 1 event, if i force a STARTSWITH parameter... i tried all possible parameters, but with STARTSWITH there's no way, transaction is dropped...
timestamp ..... user=XXXXXXXXXXXXXX action=login_do from=127.0.0.1 status=failed
.... | transaction maxevents=-1 user from startswith="login_do"
... no events returned...
.... | transaction maxevents=-1 user from
... event cought!!!
Thanks.
Hi @verbal_666 ,
Have you tried adding the keepevicted=t first and then keeporphans=t in order to see if any of them are returning anything and if so, find out why that particular transaction is being evicted or treated as an orphan?
Regards,
J
Hi @verbal_666 ,
Have you tried adding the keepevicted=t first and then keeporphans=t in order to see if any of them are returning anything and if so, find out why that particular transaction is being evicted or treated as an orphan?
Regards,
J
Sometimes Splunk surprises!!!
The code that tomorrow did not work properly, now works 🙄
transaction keepevicted=f keeporphans=f maxevents=-1 startswith="login_do" user from
Now works!!! I did't change anything in the query... very very strange!!!
I was sure having used all parameters, but maybe i was wrong with some boolean 😑
transaction keepevicted=t keeporphans=t maxevents=-1 startswith="login_do" user from
close the single event transaction... i was sure had used both of them, maybe my mistake!!! Just the "keepevicted=t " is enough.
Thanks a lot!!! 👍