Splunk Search

Can someone explain how my transaction search works with endswith and multiple end statements?

toby6578
Path Finder

When I have multiple end statements in a transaction command, I use the following: endswith=eval(match(_raw,"complete") OR match(_raw,"terminated"))

This does work, so my question is, why?
My understanding is that eval(match) should return true or false depending on whether it can find either of the strings in _raw, but in order to use endswith I would have thought it needed to return the matching string?
Can someone explain to me how this works?

Tags (2)
1 Solution

Richfez
SplunkTrust
SplunkTrust

Just a guess, but could it be that when it finds an event which matches "complete" or "terminated", that then marks that event as being the transaction termination event and closes the transaction. "endswith" isn't actually (probably) being set to the value of the flag, just a tag of some sort on that event.

I suspect you could create all sorts of odd syntax around the endswith and have it work, as long as it identifies an event as the ending event.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Just a guess, but could it be that when it finds an event which matches "complete" or "terminated", that then marks that event as being the transaction termination event and closes the transaction. "endswith" isn't actually (probably) being set to the value of the flag, just a tag of some sort on that event.

I suspect you could create all sorts of odd syntax around the endswith and have it work, as long as it identifies an event as the ending event.

wpreston
Motivator

This is it. When you use endswith, you are telling the transaction function what criteria to look for to close a transaction. Endswith can be either a search statement (just like what would be written in the search bar), or can be an eval statement. If you use an eval statement it looks for whatever criteria you've declared in that eval. In your case, it's looking for the first event that returns true when the _raw field contains either "complete" or "terminated". You could just as easily write:

endswith="complete OR terminated"

and it would look for the matching strings.

toby6578
Path Finder

Yeah I guess that's probably it, it's just annoying that there doesn't seem to be a set reason for this particular syntax to work, as it doesn't make sense with the descriptions that are in the search reference manual

0 Karma

linu1988
Champion

why dont you just put endswith="complete"

that should cover both the ending points.

toby6578
Path Finder

Good point, although those aren't the actual strings, they were an example. I shall change that now, thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...