Error in 'transaction' command: Descending time or...

thisissplunk · ‎04-03-2017

I believe commands like "transaction" work on the _time metadata field that is hidden in each event. This is similar to timechart or bucket. The problem here is that the events I have get indexed all at once, and _time gets stamped to that one single timestamp.

However, we still have the correct timestamp when the log events were generated. Therefor I try resetting _time to that timestamp like so:

| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| transaction fields=hostname maxspan=60m

This works for bucket and timechart, however, it's not working for transaction:

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

Is there a way to overcome this and get transaction to work on the new _time field? Is there any other way to accomplish this?

woodcock · ‎04-03-2017

Do this:

| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| sort 0 - _time
| transaction fields=hostname maxspan=60m

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console