Transaction Command Broken when using non-default ...

lokival · ‎09-09-2011

Good Day,

New to splunk, using version 4.2.3

Imported some zipped log files into splunk. I can search them just fine, but the transaction command doesn't work as expected. Using the transaction command to find the duration of connections.

The search being run is -

index=myIndex | search * | transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up"

The results however are not accurate, I have results where the myId pulled for startswith is different from the myId field pulled for endswith.

However, if I import the data into splunk's default index the above search works as expected.

How can I fix this without re-importing all the logs into the default index?

woodcock · ‎05-29-2015

I agree with @bbingham; why are you using | search *? Try without it like this:

index=myIndex | transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up"

Also try this:

index=myIndex | stats list(_raw) by myId

bbingham · ‎09-12-2011

Can you post an example of the data set?

also you don't need the |search *, index=myIndex| transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up" should produce the same result with less overhead.

Transaction Command Broken when using non-default index?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Transaction Command Broken when using non-default index?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases