Splunk Search
Highlighted

Does combining startswith and maxspan in a transaction work?

Motivator

Hi

Problem Description: I have transactions that start with an event containing keyword x and that are followed by one or more events with the keyword y. I also want to limit the transactions to a maximum timespan.

Example: So if I have events in the following order:

1 x
2 y
3 x
4 y
5 y
..
20 seconds later
..
6y
7y

I would like to have a transaction consisting of event 1 & 2 and a transaction consisting of events 3-5

Approaches so far: If I use the startswith option together with the maxspan option I get transactions that do not contain the string specified in startswith. This might be a limitation of the transaction command. The documentation states that not all options can't be combined (http://www.splunk.com/base/Documentation/4.0.9/Knowledge/Searchfortransactions)

Does anyone know how to solve this?

Chris

Tags (1)
Highlighted

Re: Does combining startswith and maxspan in a transaction work?

Splunk Employee
Splunk Employee

Would it work for you to just leave "endswith" unspecified?

0 Karma
Highlighted

Re: Does combining startswith and maxspan in a transaction work?

Motivator

Hi gkanapathy,

thanks for the hint, I was looking in the wrong direction. I did not give enough detail/forgot to mention part of my problem in my question (I updated it).
I think I might have stumbled accross a limitation of the transaction command. Could it be, that startswith can't be combined with the maxspan option? If I add the maxspan option I get transactions that start with an event that does not contain the startswith string.

0 Karma
Highlighted

Re: Does combining startswith and maxspan in a transaction work?

Splunk Employee
Splunk Employee

They should be able to. I might file it as a bug.

0 Karma
Highlighted

Re: Does combining startswith and maxspan in a transaction work?

Path Finder

Was it a bug? If it was, was it fixed? I am using v4.1.7 and might have this issue too.

0 Karma
Highlighted

Re: Does combining startswith and maxspan in a transaction work?

Motivator

I opened a case with Splunk Support a while ago for this. I will post the response here

0 Karma
Highlighted

Re: Does combining startswith and maxspan in a transaction work?

SplunkTrust
SplunkTrust

Indeed it looks like maxspan, (as well as maxevents for that matter) trumps startswith.

In other words when the maxevents or maxspan condition terminates the current transaction row, the next event will start a new transaction even though the startswith condition may not be true.

So it sounds like you dont want these weird fragment transactions that you end up with.

It seems like a simple matter of filtering them out afterwards though and I think there's a reliable way.

eg: Say your startswith is a field, and you're using an eval expression like

| transaction cookie startswith=(url=*/login) maxspan=60s

and you want the transactions to only contain the first 60 seconds, then since there will only be exactly one occurrence of the url="*/login" field in the transaction, and precisely no occurrences in the fragment transactions, then you can just filter the unwanted ones away.

| transaction cookie startswith=(url=*/login) maxspan=60s | search NOT url=*/login

should do it.

View solution in original post

Highlighted

Re: Does combining startswith and maxspan in a transaction work?

Path Finder

Does the startswith value work better if you use an eventtype? Rather than a search string?

0 Karma
Highlighted

Re: Does combining startswith and maxspan in a transaction work?

Motivator

Any response from support? This does seem to be a bug, as a transaction should always respect startswith and endswith, regardless of maxspan or maxevents values.

0 Karma
Highlighted

Re: Does combining startswith and maxspan in a transaction work?

Motivator

BTW this is still broken as of 4.1.8.

0 Karma