Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does Splunk handle transactions that span search time boundaries?

cantgetnosleep
Explorer
‎08-20-2014 03:54 PM

How does splunk handle transactions that span search time boundaries? If a transaction starts before a search interval, but finishes within it, is it included in the search? Also, if a transaction begins within the search interval but ends after it, how is that handled?

Thanks,

Andrew

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎08-20-2014 11:07 PM

Hi cantgetnosleep,

here is what doc tells us about transaction: 

 A transaction search enables you to identify transaction events that each stretch over multiple logged events.

that said, if you search from 8am til 10am the transaction command will use the events returned from your base search and builds a group of conceptually-related events. Since your base search only returns events from 8am til 10am, the transaction command will not know if there is anything before 8am or after 10am.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎08-20-2014 11:07 PM

Hi cantgetnosleep,

here is what doc tells us about transaction: 

 A transaction search enables you to identify transaction events that each stretch over multiple logged events.

that said, if you search from 8am til 10am the transaction command will use the events returned from your base search and builds a group of conceptually-related events. Since your base search only returns events from 8am til 10am, the transaction command will not know if there is anything before 8am or after 10am.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

cantgetnosleep
Explorer
‎08-21-2014 08:09 AM

Awesome. Thanks! Those were very helpful answers.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-21-2014 12:40 AM

Transactions that entirely are in the third hour will be searched in the next scheduled execution. Transactions that had their "tail" in the first hour were already found by the previous scheduled execution.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-21-2014 12:40 AM

You schedule a search for 2 */2 * * * or however long you want to wait for events to be present from distant systems, set the time range to -3h@h to @h, and build your search like this:

base search | transaction blah blah | search to make sure a transaction is complete | addinfo | where _time < relative_time(info_min_time, "+2h")

The last where is key. You search over three hours, assemble transactions, and then only keep transactions that started in the first two hours. As a result you get transactions whose "tail" is in the third hour.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-21-2014 12:37 AM

In other words, it doesn't handle that.

Whether these "half transactions" are included in your results depends on the configuration of the transaction command and the available data. For example, if your transaction only has a start and end event then I'd say seeing only one of those would cause that transaction to be evicted and hidden unless explicitly shown with keepevicted=t.

To get around that you should always run overlapping transaction searches. Say you know a transaction is at most one hour long and you want to schedule a search every two hours over the previous two hours.

Reply
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...