Splunk Search

How to change the order the transaction command process the opened txn?

sttang88
New Member

Hi everyone!

I'm trying to use a transaction to group logs that match the following business-logic:

  • all triggered actions are queued and processed following the FIFO policy
  • sometimes, many actions can be triggered before the first one is even completed
  • my logs does not include a common transaction_id that could be use to match the triggering and ACK events
  • thereby, I must assume that my first ACK is for the first triggered action, and so on.

My transaction command would looks like:
| transaction unit, option startswith="trigger" endswith="ack"

But it seems that Splunk is associating the first ACK event that match my transaction conditions with the last transaction it has opened. I would expect it to work the opposite way, or at least, I wish I could ask it to do so.

Here is a short data sample:

2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled

The command mentioned above is returning something like:

2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7

When I would expect:

2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1

Hope I was clear enough and thank you for your help 🙂

0 Karma
1 Solution

sundareshr
Legend

How about something like this... you should be able to build on it

... | streamstats count as c by action | sort c

View solution in original post

0 Karma

sundareshr
Legend

How about something like this... you should be able to build on it

... | streamstats count as c by action | sort c
0 Karma

sttang88
New Member

Thanks @sundareshr!

I finally had to add all the fields used in my transaction to the streamstats count to make it work.

For futur record, here is my final query:

| streamstats count AS c by unit, option, action
| sort c
| transaction unit, option, c
startswith="trigger"
endswith="ack"

Thank you 🙂

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...