Splunk Search

How to change the order the transaction command process the opened txn?

sttang88
New Member

Hi everyone!

I'm trying to use a transaction to group logs that match the following business-logic:

  • all triggered actions are queued and processed following the FIFO policy
  • sometimes, many actions can be triggered before the first one is even completed
  • my logs does not include a common transaction_id that could be use to match the triggering and ACK events
  • thereby, I must assume that my first ACK is for the first triggered action, and so on.

My transaction command would looks like:
| transaction unit, option startswith="trigger" endswith="ack"

But it seems that Splunk is associating the first ACK event that match my transaction conditions with the last transaction it has opened. I would expect it to work the opposite way, or at least, I wish I could ask it to do so.

Here is a short data sample:

2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled

The command mentioned above is returning something like:

2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7

When I would expect:

2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1

Hope I was clear enough and thank you for your help 🙂

0 Karma
1 Solution

sundareshr
Legend

How about something like this... you should be able to build on it

... | streamstats count as c by action | sort c

View solution in original post

0 Karma

sundareshr
Legend

How about something like this... you should be able to build on it

... | streamstats count as c by action | sort c
0 Karma

sttang88
New Member

Thanks @sundareshr!

I finally had to add all the fields used in my transaction to the streamstats count to make it work.

For futur record, here is my final query:

| streamstats count AS c by unit, option, action
| sort c
| transaction unit, option, c
startswith="trigger"
endswith="ack"

Thank you 🙂

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...