Error in 'transaction' command: Descending time or...

thisissplunk · ‎04-03-2017

I believe commands like "transaction" work on the _time metadata field that is hidden in each event. This is similar to timechart or bucket. The problem here is that the events I have get indexed all at once, and _time gets stamped to that one single timestamp.

However, we still have the correct timestamp when the log events were generated. Therefor I try resetting _time to that timestamp like so:

| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| transaction fields=hostname maxspan=60m

This works for bucket and timechart, however, it's not working for transaction:

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

Is there a way to overcome this and get transaction to work on the new _time field? Is there any other way to accomplish this?

woodcock · ‎04-03-2017

Do this:

| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| sort 0 - _time
| transaction fields=hostname maxspan=60m

Error in 'transaction' command: Descending time ordered events required, but the preceding search does not guarantee time order

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation