- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to understand the functionality of keepevicted. I've read several documentation about it but it's still not clear.
I've made a search with transaction. Without keepevicted I get 54 events, with keepevicted 62. I've searched the difference and found 1 with let's say the text "abc". When I add "abc" to the search (in the first line with index=....) without keepevicted the event is returned. I don't understand why that is.
Can someone explain?
The search is something like this:
index=main sourcetype="src_type1" *abc* earliest=1610441880 latest=1610445533.859
| eval tmpId=if(len(bi_Id)>0,bi_Id,if(len(bo_id)>0,bo_id,be_Id))
| transaction maxspan=5s tmpId
| rex field=que1 "\{(?<cliber>.*)\}"
| rex field=que2 "\{(?<serber>.*)\}"
| stats count as Aantal by cliber
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If my memory serves me correctly, transactions can only look at a finite number of events - if that number is breached then the transaction is cancelled.
Splunk docs for transactions show:
maxevents
Syntax: maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled.
Default: 1000
Thus, when you add *ABC* to the start of the search, you are reducing the number of events that the transaction is searching through, compared to when you do not include *ABC*?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An "evicted" transaction is one which was not completed within the specified criteria. In the example, if another event with the tmpId field was not found within 5 seconds of the previous such event then the current transaction is evicted.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @richgalloway ,
Thanks for your answer but it's still not clear to me. I don't understand why the events with *abc* are not returned when I don't have *abc* in the first line. When *abc* is in the first line and the rest of the search is the same as the first search the events are returned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If my memory serves me correctly, transactions can only look at a finite number of events - if that number is breached then the transaction is cancelled.
Splunk docs for transactions show:
maxevents
Syntax: maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled.
Default: 1000
Thus, when you add *ABC* to the start of the search, you are reducing the number of events that the transaction is searching through, compared to when you do not include *ABC*?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sheamus69, thanks. I think you're right that this has to do with a limit. When I don't use keepevicted there is a limit of 4999 events. See also https://community.splunk.com/t5/Splunk-Search/Is-there-a-limit-on-the-number-of-events-returned-from... . With keepevicted there is no limit or it is much higher.
The solution that works for me is to use keepevicted
