Splunk Search

How to use transaction command

splunkn
Communicator

Im very new to splunk. Could anyone please help me with the following issue?

I am in need to collect the details about the user for the Success Login attempts.
These success login attempts events are split up into 2 or 3 events with various details in each event. I want to group these two or three events by a transaction ID

Sample logs

Passed Login <0112233> username=abc
Passed Login <0112233> userage=20
Passed Login <0112233> userid=12345

Field extracted - TransactionID = 0112233

If i give query like this "index=* sourcetype=* "Passed Login" | transaction TransactionID, I am getting results but which are limited to only 4999. (upto 5000). But im having more events. Why those events are not taken into account

If I use the parameter maxevents=2, then uniquetransaction with 3 events are getting omitted?

How to done with the above ? Any ideas??

Thanks in advance

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi splunkn,

you are hitting a limit which is set in limits.conf related to evicted events. Use your search like this:

index=* sourcetype=* "Passed Login" | transaction keepevicted=true TransactionID

Regarding your problem 3 events or more per transaction being omitted; well if you use the maxevents=2 option you will get back max 2 events. From the docs:

maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint  is disabled. By default, maxevents=1000.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi splunkn,

you are hitting a limit which is set in limits.conf related to evicted events. Use your search like this:

index=* sourcetype=* "Passed Login" | transaction keepevicted=true TransactionID

Regarding your problem 3 events or more per transaction being omitted; well if you use the maxevents=2 option you will get back max 2 events. From the docs:

maxevents=<int>
Description: The maximum number of events in a transaction. If the value is negative this constraint  is disabled. By default, maxevents=1000.

Hope this helps ...

cheers, MuS

splunkn
Communicator

Many thanks MuS. It worked when I have added up the keepevicted parameter.
Could you please explain in detail what it does?

And now I guess I don't need to mention maxevents right? Because without maxevents its clubbing fine now.
Is this correct?

0 Karma

MuS
SplunkTrust
SplunkTrust

take a look at the docs about the transaction command http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Transaction it has all the details

Yes, you don't need maxevents.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...