Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can someone explain how my transaction search works with endswith and multiple end statements?

toby6578
Path Finder
‎01-28-2015 06:20 AM

When I have multiple end statements in a transaction command, I use the following: endswith=eval(match(_raw,"complete") OR match(_raw,"terminated"))

This does work, so my question is, why?
My understanding is that eval(match) should return true or false depending on whether it can find either of the strings in _raw, but in order to use endswith I would have thought it needed to return the matching string?
Can someone explain to me how this works?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎02-04-2015 04:56 AM

Just a guess, but could it be that when it finds an event which matches "complete" or "terminated", that then marks that event as being the transaction termination event and closes the transaction. "endswith" isn't actually (probably) being set to the value of the flag, just a tag of some sort on that event.

I suspect you could create all sorts of odd syntax around the endswith and have it work, as long as it identifies an event as the ending event.

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎02-04-2015 04:56 AM

Just a guess, but could it be that when it finds an event which matches "complete" or "terminated", that then marks that event as being the transaction termination event and closes the transaction. "endswith" isn't actually (probably) being set to the value of the flag, just a tag of some sort on that event.

I suspect you could create all sorts of odd syntax around the endswith and have it work, as long as it identifies an event as the ending event.

Reply
Solved! Jump to solution

wpreston
Motivator
‎02-04-2015 05:48 AM

This is it. When you use endswith, you are telling the transaction function what criteria to look for to close a transaction. Endswith can be either a search statement (just like what would be written in the search bar), or can be an eval statement. If you use an eval statement it looks for whatever criteria you've declared in that eval. In your case, it's looking for the first event that returns true when the _raw field contains either "complete" or "terminated". You could just as easily write:

endswith="complete OR terminated"

and it would look for the matching strings.

Reply
Solved! Jump to solution

toby6578
Path Finder
‎02-04-2015 05:08 AM

Yeah I guess that's probably it, it's just annoying that there doesn't seem to be a set reason for this particular syntax to work, as it doesn't make sense with the descriptions that are in the search reference manual

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎01-28-2015 06:27 AM

why dont you just put endswith="complete"

that should cover both the ending points.

Reply
Solved! Jump to solution

toby6578
Path Finder
‎01-28-2015 06:29 AM

Good point, although those aren't the actual strings, they were an example. I shall change that now, thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...