Re: Error in 'transaction' command: Descending tim...

thisissplunk · ‎04-03-2017

I believe commands like "transaction" work on the _time metadata field that is hidden in each event. This is similar to timechart or bucket. The problem here is that the events I have get indexed all at once, and _time gets stamped to that one single timestamp.

However, we still have the correct timestamp when the log events were generated. Therefor I try resetting _time to that timestamp like so:

| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| transaction fields=hostname maxspan=60m

This works for bucket and timechart, however, it's not working for transaction:

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

Is there a way to overcome this and get transaction to work on the new _time field? Is there any other way to accomplish this?

woodcock · ‎04-03-2017

Do this:

| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| sort 0 - _time
| transaction fields=hostname maxspan=60m

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey