Splunk Search

Does combining startswith and maxspan in a transaction work?

chris
Motivator

Hi

Problem Description: I have transactions that start with an event containing keyword x and that are followed by one or more events with the keyword y. I also want to limit the transactions to a maximum timespan.

Example: So if I have events in the following order:

1 x
2 y
3 x
4 y
5 y
..
20 seconds later
..
6y
7y

I would like to have a transaction consisting of event 1 & 2 and a transaction consisting of events 3-5

Approaches so far: If I use the startswith option together with the maxspan option I get transactions that do not contain the string specified in startswith. This might be a limitation of the transaction command. The documentation states that not all options can't be combined (http://www.splunk.com/base/Documentation/4.0.9/Knowledge/Searchfortransactions)

Does anyone know how to solve this?

Chris

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

Indeed it looks like maxspan, (as well as maxevents for that matter) trumps startswith.

In other words when the maxevents or maxspan condition terminates the current transaction row, the next event will start a new transaction even though the startswith condition may not be true.

So it sounds like you dont want these weird fragment transactions that you end up with.

It seems like a simple matter of filtering them out afterwards though and I think there's a reliable way.

eg: Say your startswith is a field, and you're using an eval expression like

| transaction cookie startswith=(url=*/login) maxspan=60s

and you want the transactions to only contain the first 60 seconds, then since there will only be exactly one occurrence of the url="*/login" field in the transaction, and precisely no occurrences in the fragment transactions, then you can just filter the unwanted ones away.

| transaction cookie startswith=(url=*/login) maxspan=60s | search NOT url=*/login

should do it.

View solution in original post

Jason
Motivator

BTW this is still broken as of 4.1.8.

0 Karma

Jason
Motivator

Any response from support? This does seem to be a bug, as a transaction should always respect startswith and endswith, regardless of maxspan or maxevents values.

0 Karma

fox
Path Finder

Does the startswith value work better if you use an eventtype? Rather than a search string?

0 Karma

sideview
SplunkTrust
SplunkTrust

Indeed it looks like maxspan, (as well as maxevents for that matter) trumps startswith.

In other words when the maxevents or maxspan condition terminates the current transaction row, the next event will start a new transaction even though the startswith condition may not be true.

So it sounds like you dont want these weird fragment transactions that you end up with.

It seems like a simple matter of filtering them out afterwards though and I think there's a reliable way.

eg: Say your startswith is a field, and you're using an eval expression like

| transaction cookie startswith=(url=*/login) maxspan=60s

and you want the transactions to only contain the first 60 seconds, then since there will only be exactly one occurrence of the url="*/login" field in the transaction, and precisely no occurrences in the fragment transactions, then you can just filter the unwanted ones away.

| transaction cookie startswith=(url=*/login) maxspan=60s | search NOT url=*/login

should do it.

chris
Motivator

I opened a case with Splunk Support a while ago for this. I will post the response here

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Would it work for you to just leave "endswith" unspecified?

0 Karma

NK_1
Path Finder

Was it a bug? If it was, was it fixed? I am using v4.1.7 and might have this issue too.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

They should be able to. I might file it as a bug.

0 Karma

chris
Motivator

Hi gkanapathy,

thanks for the hint, I was looking in the wrong direction. I did not give enough detail/forgot to mention part of my problem in my question (I updated it).
I think I might have stumbled accross a limitation of the transaction command. Could it be, that startswith can't be combined with the maxspan option? If I add the maxspan option I get transactions that start with an event that does not contain the startswith string.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...