Splunk Search

Transaction Command startswith & endswith not working without filtering the events

abhinav_maxonic
Path Finder

I am grouping events using the transaction command. Sample search which gives expected results below :
Successful Search:

(index=ind1 OR index=ind2) MachineId=1133 (log_text="*sometext1*" OR log_text="*sometext2*" OR log_text="*sometext3*" OR log_text="*sometext4*" OR log_text="*sometext5*" OR log_text="*sometext6*") | transaction startswith="sometext1" endswith="sometext2" mvlist=true | table _time,log_text

6 log_texts are transactions events.

If I search removing log_text filters, transaction does not work. Sample search below:

Unsuccessful Search:

(index=ind1 OR index=ind2) MachineId=1133 | transaction startswith="sometext1" endswith="sometext2" mvlist=true | table _time,log_text

I am unable to understand this. Can someone please explain?

0 Karma

javiergn
Super Champion

Try this instead to ensure you are only displaying events where the log_text field has a value:

(index=ind1 OR index=ind2) MachineId=1133 log_text=* | transaction startswith="sometext1" endswith="sometext2" mvlist=true | table _time,log_text
0 Karma

abhinav_maxonic
Path Finder

Already tried. This is also not working.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

What version of Splunk are you using? There is a bug in 6.3 regarding the transaction command. (SPL-107742) This was resolved in 6.3.2..

0 Karma

abhinav_maxonic
Path Finder

I am using Splunk 6.3.0 . So will it work fine in 6.3.2 ?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Upgrade to the latest, it should resolve the issue.

0 Karma

abhinav_maxonic
Path Finder

Ok. I'll try that.

0 Karma

abhinav_maxonic
Path Finder

Upgrading didn't worked .. Still not getting results. Now using splunk 6.3.2 . Any other suggestion ? or any other possibility or reason, why its not working ..

0 Karma

javiergn
Super Champion

OK, without knowing what sometext is I would try the following and see if that works:

(index=ind1 OR index=ind2) MachineId=1133 log_text=*
| fields  _time, log_text
| transaction startswith=eval(match(log_text, "sometext1")) endswith=eval(match(log_text, "sometext2")) mvlist=true 
| table _time, log_text

Note the difference in the startswith and endswith filters.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...