Problem Description: I have transactions that start with an event containing keyword x and that are followed by one or more events with the keyword y. I also want to limit the transactions to a maximum timespan.
Example: So if I have events in the following order:
1 x 2 y 3 x 4 y 5 y .. 20 seconds later .. 6y 7y
I would like to have a transaction consisting of event 1 & 2 and a transaction consisting of events 3-5
Approaches so far: If I use the startswith option together with the maxspan option I get transactions that do not contain the string specified in startswith. This might be a limitation of the transaction command. The documentation states that not all options can't be combined (http://www.splunk.com/base/Documentation/4.0.9/Knowledge/Searchfortransactions)
Does anyone know how to solve this?
thanks for the hint, I was looking in the wrong direction. I did not give enough detail/forgot to mention part of my problem in my question (I updated it).
I think I might have stumbled accross a limitation of the transaction command. Could it be, that startswith can't be combined with the maxspan option? If I add the maxspan option I get transactions that start with an event that does not contain the startswith string.
Indeed it looks like maxspan, (as well as maxevents for that matter) trumps startswith.
In other words when the maxevents or maxspan condition terminates the current transaction row, the next event will start a new transaction even though the startswith condition may not be true.
So it sounds like you dont want these weird fragment transactions that you end up with.
It seems like a simple matter of filtering them out afterwards though and I think there's a reliable way.
eg: Say your startswith is a field, and you're using an eval expression like
| transaction cookie startswith=(url=*/login) maxspan=60s
and you want the transactions to only contain the first 60 seconds, then since there will only be exactly one occurrence of the url="*/login" field in the transaction, and precisely no occurrences in the fragment transactions, then you can just filter the unwanted ones away.
| transaction cookie startswith=(url=*/login) maxspan=60s | search NOT url=*/login
should do it.
Any response from support? This does seem to be a bug, as a transaction should always respect startswith and endswith, regardless of maxspan or maxevents values.