Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to only return events that have no corresponding start or end transaction event?

horsefez
SplunkTrust
SplunkTrust
‎01-11-2016 04:14 AM

Hi Splunk community,

I'm currently trying to correlate different event sources and events with each other.

My search gives me the following results:

Event A
Event B
Event A
Event B
Event B <---
Event A
Event B
Event A
Event B
etc.

You can see that there is one Event B that has no Event A in front of it.

Can I somehow tell Splunk to only show events where the Event is only B and no A before or only A and no B afterwards?

I know about transaction, but I don't know how to only show results that do not match a transaction condition.

Any suggestions to solve this without transactions?

Thank you in advance!

Regards,
pyro_wood

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎01-11-2016 06:26 AM

Assuming you have used transaction command and grouping appears right, you can use the keepevicted & closed_txn options to show events that are not grouped. So your command will look something like this

.... | transaction <unique_field> startswith=abc endswith=xyz keepevicted=t | table _raw closed_txn | where closed_txn=1

View solution in original post

Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎01-11-2016 08:11 AM

Without transaction it could look like this by using the streamstats command:

| streamstats last(event) AS previous_event current=f window=1
| search event="B" AND previous_event!="A"
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎01-11-2016 08:20 AM

You can include filter for event=A as well here. Like
....
| search (event="B" AND previous_event!="A") OR (event="A" AND previous_event!="B")

0 Karma
Reply
Solved! Jump to solution

horsefez
SplunkTrust
SplunkTrust
‎01-11-2016 08:53 AM

Thank you for your suggestions!
I'll try them aswell!

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎01-11-2016 06:26 AM

Assuming you have used transaction command and grouping appears right, you can use the keepevicted & closed_txn options to show events that are not grouped. So your command will look something like this

.... | transaction <unique_field> startswith=abc endswith=xyz keepevicted=t | table _raw closed_txn | where closed_txn=1
Reply
Solved! Jump to solution

gmartinn
New Member
‎03-20-2020 04:56 AM

keepevicted=true

0 Karma
Reply
Solved! Jump to solution

horsefez
SplunkTrust
SplunkTrust
‎01-11-2016 08:23 AM

Wow! :)))))))

Keepevicted is such a useful parameter. I almost gave up, not finding any solution.
Thank you, you literally made my day! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...