Solved: Search for non transaction events

huaraz · ‎09-13-2011

Hi,

I would like to find out that my transactions are correctly put together so that I don't get invalid transactions if for example a start or stop event get lost.

If I would usually have:

start event;
10 events;
stop event

which would be 1 transaction, but then because of a crash or some other data loss I get

start event;
10 events;
start event;
10 events;
stop event

or

start event;
10 events;
stop event;
10 events;
stop event

How many transactions would I get ? What would I get with:

start event;
10 events;
stop event;
5 events;
start event;
10 events;
stop event

Can I search for everything which is not part of a transaction to identify the 5 events ?

Thank you

Markus

bbingham · ‎09-13-2011

transactions have a field labeled "closed_txn", in your example do the following:

|transaction startswith="start event" endswith="end event" keepevicted=t 
| search closed_txn=0

Any transaction that is currently "unfinished" or any event that isn't part of the transaction but still in the stream will be listed.

View solution in original post

bbingham · ‎09-13-2011

transactions have a field labeled "closed_txn", in your example do the following:

|transaction startswith="start event" endswith="end event" keepevicted=t 
| search closed_txn=0

Any transaction that is currently "unfinished" or any event that isn't part of the transaction but still in the stream will be listed.

Search for non transaction events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation