Solved: How to avoid unwanted nested transactions?

TRJR · ‎05-13-2022

Hi - I have a list of events, most of which pair up nicely as 'startswith' (A) and 'endswith' (B) to make a desired transaction, but in the list there is an extra unexpected 'startswith' event and an extra unexpected 'endswith'. The extra unexpected events are shown in the list below as bold and underlined.

A B A B A B A A B A B A B A B A B A B B A B A B A B

Because there is one of each they match together they are not orphans and they make one very long false transaction, with a large number of valid transactions nested inside it. I thought limiting maxevents to 2 would help, but it didn't, and because a valid transaction *could* be a long duration then I don't want to use maxspans. Is there some way to ignore events which are out of sequence? I appreciate that choosing *which* of the adjacent events should be ignored might be problematic i.e. it could be the second not first 'A', but am first interested in what is possible.

ITWhisperer · ‎05-13-2022

You could use streamstats to capture the previous event type and drop events where the type is the same as the previous

Depending on whether you wanted to keep only the last A or first B you may have to do this twice with a reverse between to change the order of the events.

View solution in original post

ITWhisperer · ‎05-13-2022

You could use streamstats to capture the previous event type and drop events where the type is the same as the previous

Depending on whether you wanted to keep only the last A or first B you may have to do this twice with a reverse between to change the order of the events.

How to avoid unwanted nested transactions?

transaction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases