Splunk Search

How to use transaction command

splunkn
Communicator

Im very new to splunk. Could anyone please help me with the following issue?

I am in need to collect the details about the user for the Success Login attempts.
These success login attempts events are split up into 2 or 3 events with various details in each event. I want to group these two or three events by a transaction ID

Sample logs

Passed Login <0112233> username=abc
Passed Login <0112233> userage=20
Passed Login <0112233> userid=12345

Field extracted - TransactionID = 0112233

If i give query like this "index=* sourcetype=* "Passed Login" | transaction TransactionID, I am getting results but which are limited to only 4999. (upto 5000). But im having more events. Why those events are not taken into account

If I use the parameter maxevents=2, then uniquetransaction with 3 events are getting omitted?

How to done with the above ? Any ideas??

Thanks in advance

Tags (1)
0 Karma
1 Solution

MuS
Legend

Hi splunkn,

you are hitting a limit which is set in limits.conf related to evicted events. Use your search like this:

index=* sourcetype=* "Passed Login" | transaction keepevicted=true TransactionID

Regarding your problem 3 events or more per transaction being omitted; well if you use the maxevents=2 option you will get back max 2 events. From the docs:

maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint  is disabled. By default, maxevents=1000.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi splunkn,

you are hitting a limit which is set in limits.conf related to evicted events. Use your search like this:

index=* sourcetype=* "Passed Login" | transaction keepevicted=true TransactionID

Regarding your problem 3 events or more per transaction being omitted; well if you use the maxevents=2 option you will get back max 2 events. From the docs:

maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint  is disabled. By default, maxevents=1000.

Hope this helps ...

cheers, MuS

splunkn
Communicator

Many thanks MuS. It worked when I have added up the keepevicted parameter.
Could you please explain in detail what it does?

And now I guess I don't need to mention maxevents right? Because without maxevents its clubbing fine now.
Is this correct?

0 Karma

MuS
Legend

take a look at the docs about the transaction command http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Transaction it has all the details

Yes, you don't need maxevents.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...