Yes, that is fine; you can use either one, none, or both. Not only do these help define event boundaries but they also help define what is/not a
closed_txn and impact the performance (speed) and accuracy of the search.
Based on your clarification, you can use
endswith="your specific stuff" startswith="1=1" and that should do it by making sure that every transaction has a
startswith so that only those without an
endswith do not close.
ARGH! When am I going to learn to test my answers? I made a mistake in the syntax, it should be
endswith="your specific stuff" startswith=eval("1"="1").
The simple answer is, Yes. Take this simple run everywhere command:
index=_audit | transaction user endswith="action=login*"
This will work and will return events.
The same is with only the
index=_audit | transaction user startswith="action=login*"
Hope this helps ...
actually i mean when i use endswith only closedtxn =0 all the time and transaction is not closed despite that there is many events match this condition but when i add startswith i start to see closedtxn = 1 and when i check some forms i found the answer that i added in the question So what i need to know if there is any way to use only endswith and closed_txn =1 wihtout use of any other condition
I know that it will work but it will not lead to closedtxn =1
I would like to have one condition which is endowing that lead to closedtxn =1
Thanks in advance
Why do you ask if it will work, if you know it does? You should ask the question with your real requirement instead, which is the latest comment you did.