Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I report on incomplete transactions?

hexx
Splunk Employee
Splunk Employee
‎06-08-2011 05:08 AM

I am using the following search to report on successful transactions in our password checkin/checkout system :

(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset"

However, I would like to build a report that shows all incomplete transactions. How can I achieve this?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-08-2011 05:09 AM

The transaction command creates an internal field named "closed_txn" to indicate if a given transaction is complete or not.

From the Search Reference Manual entry for the Transaction command :

keepevicted=<bool>

Description:

Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startswith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.

Transactions that fulfill both the "startswith" and "endswith" condition are marked as successful by having the field "closed_txn" set to 1, where transactions that fail to fulfill one or both of these conditions are marked as unsuccessful by having the field "closed_txn" set to 0.

In our case, to report on incomplete transactions we need to :

  • Keep all transactions, both closed (those that match all the transaction restrictions) and open (those that fail to match all the transaction restrictions), by specifying "keepevicted=true".
  • Use the "closed_txn" Boolean field generated by the transaction command to differentiate the invalid transactions.

Our new search should append "| search closed_txn=0" to the base search in order to only report on the unsuccessful transactions

(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | search closed_txn=0

View solution in original post

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎04-12-2012 05:16 PM

FYI, if you also want to calculate duration of unclosed transactions, this is possible with an eval.


mysearch | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | eval duration=if(isnull(duration),now()-_time,duration) | table _time duration _raw

Beware, the function now() may not be compatible with real time.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎12-21-2015 12:41 PM

using a stats command may be less expensive than a transaction :

mysearch ""checkout"  OR "reset" "| stats first(_raw) AS recent_event first(_time) AS _time by  Hostname, LBG_User | where revent_event="*checkout*"  | eval duration=if(isnull(duration),now()-_time,duration) | table _time duration Hostname LBG_User  recent_event
0 Karma
Reply
Solved! Jump to solution

mmacvicar_splun
Splunk Employee
Splunk Employee
‎03-02-2017 09:59 AM

Minor correction, duration=0 for events that haven't completed so "eval duration=if(duration==0,now()-_time,duration)" or:
mysearch | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | eval duration=if(duration==0,now()-_time,duration) | table _time duration _raw

0 Karma
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-08-2011 05:09 AM

The transaction command creates an internal field named "closed_txn" to indicate if a given transaction is complete or not.

From the Search Reference Manual entry for the Transaction command :

keepevicted=<bool>

Description:

Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startswith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.

Transactions that fulfill both the "startswith" and "endswith" condition are marked as successful by having the field "closed_txn" set to 1, where transactions that fail to fulfill one or both of these conditions are marked as unsuccessful by having the field "closed_txn" set to 0.

In our case, to report on incomplete transactions we need to :

  • Keep all transactions, both closed (those that match all the transaction restrictions) and open (those that fail to match all the transaction restrictions), by specifying "keepevicted=true".
  • Use the "closed_txn" Boolean field generated by the transaction command to differentiate the invalid transactions.

Our new search should append "| search closed_txn=0" to the base search in order to only report on the unsuccessful transactions

(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | search closed_txn=0

Reply
Solved! Jump to solution

splunkering
Explorer
‎07-31-2018 07:55 AM

Hi @hexx
Thanks for your solution. I have the same requirement but this solution didn't work for me.
When I add keepevicted=true it shows me 2 events per transaction; transaction started event (with closed_txn=0) and transaction ended event (with closed_txn=1) and when I add | search closed_txn=0 it shows me transaction started event for all transactions - including those that completed successfully. But I want only transactions that do not have a completed event

... | transaction build_number,type startswith="started" endswith="completed" keepevicted=true | search closed_txn = 0

0 Karma
Reply
Solved! Jump to solution

splunkering
Explorer
‎07-31-2018 08:03 AM

However, this works but I am not sure if its the best approach?
... | stats count by build_number | search count = 1

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...