Transaction Command Broken when using non-default ...

lokival · ‎09-09-2011

Good Day,

New to splunk, using version 4.2.3

Imported some zipped log files into splunk. I can search them just fine, but the transaction command doesn't work as expected. Using the transaction command to find the duration of connections.

The search being run is -

index=myIndex | search * | transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up"

The results however are not accurate, I have results where the myId pulled for startswith is different from the myId field pulled for endswith.

However, if I import the data into splunk's default index the above search works as expected.

How can I fix this without re-importing all the logs into the default index?

woodcock · ‎05-29-2015

I agree with @bbingham; why are you using | search *? Try without it like this:

index=myIndex | transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up"

Also try this:

index=myIndex | stats list(_raw) by myId

bbingham · ‎09-12-2011

Can you post an example of the data set?

also you don't need the |search *, index=myIndex| transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up" should produce the same result with less overhead.

Transaction Command Broken when using non-default index?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation