- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use transaction command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im very new to splunk. Could anyone please help me with the following issue?
I am in need to collect the details about the user for the Success Login attempts.
These success login attempts events are split up into 2 or 3 events with various details in each event. I want to group these two or three events by a transaction ID
Sample logs
Passed Login <0112233> username=abc
Passed Login <0112233> userage=20
Passed Login <0112233> userid=12345
Field extracted - TransactionID = 0112233
If i give query like this "index=* sourcetype=* "Passed Login" | transaction TransactionID, I am getting results but which are limited to only 4999. (upto 5000). But im having more events. Why those events are not taken into account
If I use the parameter maxevents=2, then uniquetransaction with 3 events are getting omitted?
How to done with the above ? Any ideas??
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi splunkn,
you are hitting a limit which is set in limits.conf related to evicted events. Use your search like this:
index=* sourcetype=* "Passed Login" | transaction keepevicted=true TransactionID
Regarding your problem 3 events or more per transaction being omitted; well if you use the maxevents=2 option you will get back max 2 events. From the docs:
maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled. By default, maxevents=1000.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi splunkn,
you are hitting a limit which is set in limits.conf related to evicted events. Use your search like this:
index=* sourcetype=* "Passed Login" | transaction keepevicted=true TransactionID
Regarding your problem 3 events or more per transaction being omitted; well if you use the maxevents=2 option you will get back max 2 events. From the docs:
maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled. By default, maxevents=1000.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks MuS. It worked when I have added up the keepevicted parameter.
Could you please explain in detail what it does?
And now I guess I don't need to mention maxevents right? Because without maxevents its clubbing fine now.
Is this correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
take a look at the docs about the transaction command http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Transaction it has all the details
Yes, you don't need maxevents.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
