Im very new to splunk. Could anyone please help me with the following issue?
I am in need to collect the details about the user for the Success Login attempts.
These success login attempts events are split up into 2 or 3 events with various details in each event. I want to group these two or three events by a transaction ID
Passed Login <0112233> username=abc Passed Login <0112233> userage=20 Passed Login <0112233> userid=12345
Field extracted -
TransactionID = 0112233
If i give query like this
"index=* sourcetype=* "Passed Login" | transaction TransactionID, I am getting results but which are limited to only 4999. (upto 5000). But im having more events. Why those events are not taken into account
If I use the parameter maxevents=2, then uniquetransaction with 3 events are getting omitted?
How to done with the above ? Any ideas??
Thanks in advance
you are hitting a limit which is set in
limits.conf related to
evicted events. Use your search like this:
index=* sourcetype=* "Passed Login" | transaction keepevicted=true TransactionID
Regarding your problem 3 events or more per transaction being omitted; well if you use the
maxevents=2 option you will get back max 2 events. From the docs:
maxevents=<int> Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled. By default, maxevents=1000.
Hope this helps ...
Many thanks MuS. It worked when I have added up the keepevicted parameter.
Could you please explain in detail what it does?
And now I guess I don't need to mention maxevents right? Because without maxevents its clubbing fine now.
Is this correct?