Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can someone explain how my transaction search work...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I have multiple end statements in a transaction command, I use the following: endswith=eval(match(_raw,"complete") OR match(_raw,"terminated"))
This does work, so my question is, why?
My understanding is that eval(match) should return true or false depending on whether it can find either of the strings in _raw, but in order to use endswith I would have thought it needed to return the matching string?
Can someone explain to me how this works?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a guess, but could it be that when it finds an event which matches "complete" or "terminated", that then marks that event as being the transaction termination event and closes the transaction. "endswith" isn't actually (probably) being set to the value of the flag, just a tag of some sort on that event.
I suspect you could create all sorts of odd syntax around the endswith and have it work, as long as it identifies an event as the ending event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a guess, but could it be that when it finds an event which matches "complete" or "terminated", that then marks that event as being the transaction termination event and closes the transaction. "endswith" isn't actually (probably) being set to the value of the flag, just a tag of some sort on that event.
I suspect you could create all sorts of odd syntax around the endswith and have it work, as long as it identifies an event as the ending event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is it. When you use endswith, you are telling the transaction function what criteria to look for to close a transaction. Endswith can be either a search statement (just like what would be written in the search bar), or can be an eval statement. If you use an eval statement it looks for whatever criteria you've declared in that eval. In your case, it's looking for the first event that returns true when the _raw field contains either "complete" or "terminated". You could just as easily write:
endswith="complete OR terminated"
and it would look for the matching strings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah I guess that's probably it, it's just annoying that there doesn't seem to be a set reason for this particular syntax to work, as it doesn't make sense with the descriptions that are in the search reference manual
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why dont you just put endswith="complete"
that should cover both the ending points.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good point, although those aren't the actual strings, they were an example. I shall change that now, thanks.
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
Data Persistence in the OpenTelemetry Collector
Thanks for the Memories! Splunk University, .conf25, and our Community
