Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Guarantee startswith when using keepevicted

gp2
New Member
‎02-04-2020 11:44 AM

Hi Splunk community, I am trying to make a query that returns all transactions for a starting event and ending event that last a certain duration as well as any starting events that don't have an ending event for a specific time range. I attempted to do this by putting keepevicted = true in my transaction but this appears to include some unwanted data as well. I believe the below example will show what I mean:

The data list is as follows:
1. Connection: misc.
2. Connection: misc.
3. unneeded data
4. Connection: lost
5. Connection: finding
6. Connection: found
7.unneeded data
8. Connection: lost
9. Connection: finding
10. Connection: still finding

My query will be as follows
"Connection" | transaction startswith="lost " endswith="found" keepevicted=true

This will return 3 result transactions, events 1-2, events 4-6, and events 8-10. The last two are the ones I want but the first transaction is unneeded but shows up anyway as a result of keepevicted since they are considered close enough. If I removed keepevicted, I will only receive events 4-6 since 8-10 doesn't have the end event.

Is there a way I can modify the query so I receive the last two transactions but not the first one? Is it possible that transactions aren't necessary and there are other splunk commands that can get me what I want?

0 Karma
Reply

to4kawa
Ultra Champion
‎02-07-2020 06:02 PM 
|makeresults
| eval _raw="1. Connection: misc.
2. Connection: misc.
3. unneeded data
4. Connection: lost
5. Connection: finding
6. Connection: found
7.unneeded data
8. Connection: lost
9. Connection: finding
10. Connection: still finding"
| makemv delim="
" _raw
| stats count by _raw
| sort _raw
`comment("this is your sample, from here, the logic")`
| search "Connection"
| streamstats count(eval(searchmatch("lost"))) as session
| where session > 0

I don't use transaction. but it works.

Note that the older the log, the higher it must be.
If not, use | reverse before streamstats.

0 Karma
Reply

gp2
New Member
‎02-10-2020 03:21 PM

Thanks for the response to4kawa,

I apologize, I don't think I made my issue clear from the earlier example. I need "Connection: misc" to not appear no matter where it shows up in the data. Using this for the raw instead:

  1. Connection: lost
  2. Connection: finding
  3. Connection: found
  4. Unneeded data
  5. Connection: misc.
  6. Connection: misc.
  7. unneeded data
  8. Connection: lost
  9. Connection: finding
  10. Connection: found
  11. Unneeded Data
  12. Connection: lost
  13. Connection: finding
  14. Connection: still finding"

Your search returns 1-3 and 5-6 with session as 1, 8-10 with session as 2, and 12-14 with session as 3. My transaction example returns the same as well just because keepevicted seems to keep things very general when it is used. In this case, I would only want 1-3, 8-10, and 12-14

0 Karma
Reply

to4kawa
Ultra Champion
‎02-12-2020 04:12 AM 
| makeresults 
| eval _raw="Connection: lost
Connection: finding
Connection: found
Unneeded data
Connection: misc.
Connection: misc.
unneeded data
Connection: lost
Connection: finding
Connection: found
Unneeded Data
Connection: lost
Connection: finding
Connection: still finding" 
| makemv delim="
" _raw 
| rename _raw as raw 
| mvexpand raw 
| rename raw as _raw
    `comment("this is your sample, from here, the logic")` 
| search "Connection" NOT "misc"
| streamstats count(eval(searchmatch("lost"))) as session 
| where session > 0
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...