Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get transaction to ignore endswith if startswith doesn't exist

mikecal
Explorer
‎10-11-2019 09:31 AM

I have an issue where my transaction search finds endswith events with no startswith events.

Not to go into too much detail but this is due to a funky way that Cisco logs OSPF events when DMVPN is involved.

I want to simply ignore endswith matches if a startswith event doesn't exist.

Is there a way to force transaction to only match if a startswith event exists (must startswith)?

Below is my search:

sourcetype=cisco:ios eventtype="cisco_ios-routing-ospf" | transaction host startswith="FULL to DOWN" endswith="LOADING to FULL" keepevicted=true | search closed_txn=0

Thanks,
Mike

0 Karma
Reply

woodcock
Esteemed Legend
‎10-22-2019 01:38 AM

Ditch transaction like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="cisco:ios" AND eventtype="cisco_ios-routing-ospf"
| streamstats count(eval(searchmatch(FULL to DOWN"))) AS sessionID
| streamstats count(eval(searchmatch(LOADING to FULL"))) AS endsWithPos BY sessionID
| eventstats count(eval(searchmatch(LOADING to FULL"))) AS endsWithCount BY sessionID
| search endsWithPos = endsWithCount
| stats rante(time) AS duration BY sessionID
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2019 10:53 AM

What are the values of the 'closed_txn' and '_txn_orphan' fields for the transactions missing startswith events? If the former is non-zero, add the keeporphans option to the transaction; if the latter is non-zero, use keepevicted=false.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mikecal
Explorer
‎10-12-2019 09:01 AM

Thanks for your reply. The value for keepevicted is non zero and for some reason keeporphans returns no value at. The problem I see with the keepevicted approach is that it cannot distinguish between startswith and endswith. I only want to ignore incomplete transactions where endswith is present with no startswith. However, I do want to know when a startswith value is found and no endswith value is found. When I set keepevicted to false, both endswith and startswith are ignored.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...