Splunk Search
Highlighted

How to use transaction command

Communicator

Im very new to splunk. Could anyone please help me with the following issue?

I am in need to collect the details about the user for the Success Login attempts.
These success login attempts events are split up into 2 or 3 events with various details in each event. I want to group these two or three events by a transaction ID

Sample logs

Passed Login <0112233> username=abc
Passed Login <0112233> userage=20
Passed Login <0112233> userid=12345

Field extracted - TransactionID = 0112233

If i give query like this "index=* sourcetype=* "Passed Login" | transaction TransactionID, I am getting results but which are limited to only 4999. (upto 5000). But im having more events. Why those events are not taken into account

If I use the parameter maxevents=2, then uniquetransaction with 3 events are getting omitted?

How to done with the above ? Any ideas??

Thanks in advance

Tags (1)
0 Karma
Highlighted

Re: How to use transaction command

SplunkTrust
SplunkTrust

Hi splunkn,

you are hitting a limit which is set in limits.conf related to evicted events. Use your search like this:

index=* sourcetype=* "Passed Login" | transaction keepevicted=true TransactionID

Regarding your problem 3 events or more per transaction being omitted; well if you use the maxevents=2 option you will get back max 2 events. From the docs:

maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint  is disabled. By default, maxevents=1000.

Hope this helps ...

cheers, MuS

View solution in original post

Highlighted

Re: How to use transaction command

Communicator

Many thanks MuS. It worked when I have added up the keepevicted parameter.
Could you please explain in detail what it does?

And now I guess I don't need to mention maxevents right? Because without maxevents its clubbing fine now.
Is this correct?

0 Karma
Highlighted

Re: How to use transaction command

SplunkTrust
SplunkTrust

take a look at the docs about the transaction command http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Transaction it has all the details

Yes, you don't need maxevents.

0 Karma