Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Finding uncompleted transactions

GratefulDude
Explorer
‎02-17-2010 09:04 PM

I have application logs that will create a log when a user makes a request like:

2010-02-17 16:13:28.515 host1:1111:application DBG User made a requst[99999-1]: FOO (12345)

It then creates another log when the request is acknowledged like:

2010-02-17 16:13:29.118 host1:1111:application DBG reply for user 12345: request acknowledged

I am able to do a search and group both logs into pairs with transaction:

host="host1" source="C:\\logs\app*" ("DBG User made a request" OR "request acknowledged") | rex "DBG User made a requst: Foo \((?<ID>\d+)\) \[" | rex "DBG reply for user (?<ID>\d+): " | transaction ID maxspan=60s startswith="DBG User made a request" endswith="request acknowledged"

and I get a nice list of all the request/acknowledge pairs grouped together. What I need is to find (and alert) when I get a request, but not a matching acknowledge.

Any ideas?

Tags (1)
Reply

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎06-11-2010 09:51 PM

This is an outstanding issue (SPL-31786) scheduled to be fixed in out next maintenance release (4.1.4)

The following search might do what you want (if ID is a unique id at least within the 60 seconds that the transactions are supposed to last):

host="host1" source="C:\\logs\app*" ("DBG User made a request" OR "request acknowledged") | rex "DBG User made a requst: Foo \((?<ID>\d+)\) \[" | rex "DBG reply for user (?<ID>\d+): " | transaction ID maxspan=60s startswith="DBG User made a request" | search NOT "request acknowledged"
0 Karma
Reply

GratefulDude
Explorer
‎06-14-2010 07:23 PM

Thanks. What worked for me was doing a |search linecount<2 from my results. That matches all of my "requests" and "answers" up into transactions that should always be 2 lines.

0 Karma
Reply

dianbo_1
Path Finder
‎05-25-2010 02:29 AM

The startswith and endswith are "eventtype=A" and "eventtype=B" in my definition. But I just get those transactions just have end event (eventtype=B), and it can not display those just have start event(eventtype=A).

For example, if i do the search "eventtype=A | transaction router ip startswith="eventtype=A" endswith="eventtype=B" keepevicted=true", i should get many uncompleted transactions, but i get none.

Any ideas?

Thanks, Dianbo.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-18-2010 01:27 AM

You should just be able to add keepevicted=true to the transaction command options, then search on evicted=1:

... | transaction keepevicted=true ... | where evicted=1

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-20-2010 05:19 AM

Hmm, looks like it changed at some point, you're right that in 4.0.9 the field is "closed_txn" and is the inverse of evicted, i.e., it's 1 for completed transactions.

Reply

ziegfried
Influencer
‎02-19-2010 03:12 PM

did this change for splunk 4.1? The evicted field doesn't seem to be part of the result. I had success with "… | transaction … | where closed_txn=0" though.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...