Solved: How to change the order the transaction command pr...

sttang88 · ‎12-30-2015

Hi everyone!

I'm trying to use a transaction to group logs that match the following business-logic:

all triggered actions are queued and processed following the FIFO policy
sometimes, many actions can be triggered before the first one is even completed
my logs does not include a common transaction_id that could be use to match the triggering and ACK events
thereby, I must assume that my first ACK is for the first triggered action, and so on.

My transaction command would looks like:
| transaction unit, option startswith="trigger" endswith="ack"

But it seems that Splunk is associating the first ACK event that match my transaction conditions with the last transaction it has opened. I would expect it to work the opposite way, or at least, I wish I could ask it to do so.

Here is a short data sample:

2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled

The command mentioned above is returning something like:

2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7

When I would expect:

2015-12-28 20:01:59 action=trigger unit=foobar option=disabled
2015-12-28 20:02:02 action=ack unit=foobar option=disabled id=13
---
2015-12-28 20:01:18 action=trigger unit=foobar option=enabled
2015-12-28 20:02:00 action=ack unit=foobar option=enabled id=7
---
2015-12-28 20:00:57 action=trigger unit=foobar option=disabled
2015-12-28 20:02:00 action=ack unit=foobar option=disabled id=3
---
2015-12-28 20:00:17 action=trigger unit=foobar option=enabled
2015-12-28 20:01:59 action=ack unit=foobar option=enabled id=1

Hope I was clear enough and thank you for your help 🙂

sundareshr · ‎12-30-2015

How about something like this... you should be able to build on it

... | streamstats count as c by action | sort c

View solution in original post

sundareshr · ‎12-30-2015

How about something like this... you should be able to build on it

... | streamstats count as c by action | sort c

sttang88 · ‎12-30-2015

Thanks @sundareshr!

I finally had to add all the fields used in my transaction to the streamstats count to make it work.

For futur record, here is my final query:
| streamstats count AS c by unit, option, action | sort c | transaction unit, option, c startswith="trigger" endswith="ack"

Thank you 🙂

How to change the order the transaction command process the opened txn?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation