Splunk Search

How to get transactions that just have start events?

Path Finder


There are login messages and logout messages in the log files. I want to get those users who have not been logout. My search is:

host="trantest" | transaction user,sessionid startswith="loginmessage" endswith="logoutmessage" keepevicted=true

It should return all transactions containing

  1. just have start event
  2. just have end event
  3. have both start event and end event

But I just get 2) and 3), and i can not get those transactions just have start event.

Any suggestions about transaction usage or any other way of getting users have not logout?

Thanks & Best regards.


Tags (1)

Super Champion

Answer to question 2

This type of scenario certainly requires some sort of startswith/endswith logic because your field values seem to repeat too frequently. (There could be a timing related fix, e.g. using maxpause or maxspan, but you'll have to decide if that is possible with your data or not. See link at bottom of this post.)

I think I found a working solution by using just "startswith" without using "endswith" (the keepevicted=true doesn't seem to matter in this test case.) I did some playing around with your provided sample data (I copied and pasted into a temp file and used splunk to load it with the file command without indexing it 😉 splunk rocks!)

| file /tmp/examplefile.txt | sort -_time | rex "ip=(?<ip>\d+)" | rex "\s(?<router>\w+)\s\[" | transaction router,ip startswith="aaaaaaa" | eval my_closed_txn=if(searchmatch("bbbbbbb"),1,0)

The first 3 search commands are needed to attempt to match your environment; you can pretty much ignore them.

Side note:

BTW, Simply using searchmatch is not 100% accurate here. This is because we are not ensuring that it is the last event, we are only making sure that the text string "bbbbbbb" exists within the combined transaction event's text (the _raw field). So this can be a problem if "bbbbbbb" occurs as the second event of 3, this approach will not catch that. You can work around this by using match instead of searchmatch in combination with a multiline regex that explicitly will match the bbbbbbb on the last line only. Of the top of my head (aka untested), you could probably use an expression like this:

   | eval my_closed_txn=if(match(_raw, "(?ms)^.*[\r\n][^\r\n]+\bbbbbbbb\b(?:[\r\n]+|$)",1,0)

In case your not a regex guru, "\b" means boundary, which is even more confusing when you are already matching "b"s. 😉 So this approach would be more accurate, but often it's not worth the hassle. (I have used this approach when analyzing FTP transactions to see if the last session event was a "successful logout", so this kind of thing is needed from time to time.)

Make sure you note this Q&A: Does combining startswith and maxspan in a transaction work?

Hope this helps.

Path Finder

Hi Lowell,

There is a question to your dropping logic.

The log events are list below. And the transaction is defined as "startswith=aaaaaaa endswith=bbbbbbb", so the search statement should be

host="trantest" | rex "\s(?<router>\w+)\s\[" | transaction router,ip startswith="aaaaaaa" endswith="bbbbbbb" keepevicted=true

  1. May 24 00:33:30 aaa [info] ip=123, aaaaaaa
  2. May 24 00:33:39 aaa [info] ip=123, ccccccc
  3. May 24 00:34:55 aaa [info] ip=123, bbbbbbb
  4. May 24 00:35:01 aaa [info] ip=123, aaaaaaa
  5. May 24 00:35:10 bbb [info] ip=456, aaaaaaa
  6. May 24 00:35:55 aaa [info] ip=789, aaaaaaa
  7. May 24 00:36:00 bbb [info] ip=456, ddddddd
  8. May 24 00:36:07 bbb [info] ip=456, bbbbbbb
  9. May 24 00:36:09 aaa [info] ip=101, bbbbbbb
  10. May 24 00:39:30 bbb [info] ip=112, aaaaaaa
  11. May 24 00:39:35 bbb [info] ip=112, bbbbbbb
  12. May 24 00:39:37 aaa [info] ip=123, bbbbbbb
  13. May 24 00:39:38 aaa [info] ip=123, aaaaaaa

If moved "startswith"/"endswith" logic into a secondary search, the search statement is

host="trantest" | rex "\s(?<router>\w+)\s\[" | transaction router,ip | search "aaaaaaa" NOT "bbbbbbb"

then, then last event will be treated as a event in a completed transaction(router=aaa,ip=123).

In my instance, it should belong to a uncomplete transaction.

Any suggestion to this point?

Thanks & Best regards,


0 Karma

Super Champion

I've run into some similar issues which I've reported to splunk support and I know I've seen other post about transaction issues.

I would try working around the issue by dropping the "startswith"/"endswith" logic and moving that into a secondary search.

host="trantest" | transaction user,sessionid maxspan=7d | search loginmessage NOT logoutmessage

This should do what you want. You will probably want to put an better time limit on this (I picked 7 day as an arbitrary example).

You may also find it useful to add search criteria based on the eventcount field, which is added by the transaction command. Something like | search eventcount>=2

Transaction support has been greatly improved from 3.x to 4.x and I'm hoping to see even more improvements in the future. IMHO, your example search should work.

Path Finder

Thanks for your suggestion. I just have another question about this below. I want to know how did you deal with it. Thanks.

0 Karma