Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Functionality of keepevicted not clear

rrovers
Contributor
‎01-12-2021 02:19 AM

I'm trying to understand the functionality of keepevicted. I've read several documentation about it but it's still not clear. 

I've made a search with transaction. Without keepevicted I get 54 events, with keepevicted 62. I've searched the difference and found 1 with let's say the text "abc". When I add "abc" to the search (in the first line with index=....) without keepevicted the event is returned. I don't understand why that is.

Can someone explain?

 

The search is something like this:

index=main sourcetype="src_type1" *abc* earliest=1610441880 latest=1610445533.859
| eval tmpId=if(len(bi_Id)>0,bi_Id,if(len(bo_id)>0,bo_id,be_Id))
| transaction maxspan=5s tmpId
| rex field=que1 "\{(?<cliber>.*)\}"
| rex field=que2 "\{(?<serber>.*)\}"
| stats count as Aantal by cliber

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sheamus69
Communicator
‎01-13-2021 06:38 AM

Hi,

If my memory serves me correctly, transactions can only look at a finite number of events - if that number is breached then the transaction is cancelled.

Splunk docs  for transactions show:

maxevents
    Syntax: maxevents=<int>
    Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled.
    Default: 1000

 

Thus, when you add *ABC* to the start of the search, you are reducing the number of events that the transaction is searching through, compared to when you do not include *ABC*?

 

 

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2021 07:35 AM

An "evicted" transaction is one which was not completed within the specified criteria.  In the example, if another event with the tmpId field was not found within 5 seconds of the previous such event then the current transaction is evicted.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rrovers
Contributor
‎01-13-2021 06:13 AM

hi @richgalloway ,

Thanks for your answer but it's still not clear to me. I don't understand why the events with *abc* are not returned when I don't have *abc* in the first line.  When *abc* is in the first line and the rest of the search is the same as the first search the events are returned. 

0 Karma
Reply
Solved! Jump to solution
Solution

sheamus69
Communicator
‎01-13-2021 06:38 AM

Hi,

If my memory serves me correctly, transactions can only look at a finite number of events - if that number is breached then the transaction is cancelled.

Splunk docs  for transactions show:

maxevents
    Syntax: maxevents=<int>
    Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled.
    Default: 1000

 

Thus, when you add *ABC* to the start of the search, you are reducing the number of events that the transaction is searching through, compared to when you do not include *ABC*?

 

 

Reply
Solved! Jump to solution

rrovers
Contributor
‎01-13-2021 11:15 PM

@sheamus69, thanks. I think you're right that this has to do with a limit. When I don't use keepevicted there is a limit of 4999 events. See also https://community.splunk.com/t5/Splunk-Search/Is-there-a-limit-on-the-number-of-events-returned-from... . With keepevicted there is no limit or it is much higher. 
The solution that works for me is to use keepevicted

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...