Error in 'transaction' command: Descending time or...

thisissplunk · ‎04-03-2017

I believe commands like "transaction" work on the _time metadata field that is hidden in each event. This is similar to timechart or bucket. The problem here is that the events I have get indexed all at once, and _time gets stamped to that one single timestamp.

However, we still have the correct timestamp when the log events were generated. Therefor I try resetting _time to that timestamp like so:

| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| transaction fields=hostname maxspan=60m

This works for bucket and timechart, however, it's not working for transaction:

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

Is there a way to overcome this and get transaction to work on the new _time field? Is there any other way to accomplish this?

woodcock · ‎04-03-2017

Do this:

| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| sort 0 - _time
| transaction fields=hostname maxspan=60m

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant