Splunk Search
Highlighted

Can transaction be used only with "endswith" without use of "startswith"?

Path Finder

Can transaction be used with endswith only without use of startswith?
I read that transaction is processing events from latest to oldest, so we can't use endswith only?
Is it possible to use startswith alone?

0 Karma
Highlighted

Re: Can transaction be used only with "endswith" without use of "startswith"?

Esteemed Legend

Yes, that is fine; you can use either one, none, or both. Not only do these help define event boundaries but they also help define what is/not a closed_txn and impact the performance (speed) and accuracy of the search.

0 Karma
Highlighted

Re: Can transaction be used only with "endswith" without use of "startswith"?

Esteemed Legend

Based on your clarification, you can use endswith="your specific stuff" startswith="1=1" and that should do it by making sure that every transaction has a startswith so that only those without an endswith do not close.

0 Karma
Highlighted

Re: Can transaction be used only with "endswith" without use of "startswith"?

Path Finder

thanks alot woodcock for your answer i think it's will work

0 Karma
Highlighted

Re: Can transaction be used only with "endswith" without use of "startswith"?

Path Finder

unfortunately it didn't work

0 Karma
Highlighted

Re: Can transaction be used only with "endswith" without use of "startswith"?

Esteemed Legend

ARGH! When am I going to learn to test my answers? I made a mistake in the syntax, it should be endswith="your specific stuff" startswith=eval("1"="1").

0 Karma
Highlighted

Re: Can transaction be used only with "endswith" without use of "startswith"?

SplunkTrust
SplunkTrust

Hi Ahmedkhalil,

The simple answer is, Yes. Take this simple run everywhere command:

index=_audit | transaction user endswith="action=login*"

This will work and will return events.
The same is with only the startswith option:

index=_audit | transaction user startswith="action=login*"

Hope this helps ...

cheers, MuS

Highlighted

Re: Can transaction be used only with "endswith" without use of "startswith"?

Path Finder

actually i mean when i use endswith only closedtxn =0 all the time and transaction is not closed despite that there is many events match this condition but when i add startswith i start to see closedtxn = 1 and when i check some forms i found the answer that i added in the question So what i need to know if there is any way to use only endswith and closed_txn =1 wihtout use of any other condition

0 Karma
Highlighted

Re: Can transaction be used only with "endswith" without use of "startswith"?

Path Finder

I know that it will work but it will not lead to closedtxn =1
I would like to have one condition which is endowing that lead to closed
txn =1
Thanks in advance

0 Karma
Highlighted

Re: Can transaction be used only with "endswith" without use of "startswith"?

SplunkTrust
SplunkTrust

Why do you ask if it will work, if you know it does? You should ask the question with your real requirement instead, which is the latest comment you did.