Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transaction Command

splunkpoornima
Communicator
‎11-07-2012 04:32 AM

hi all

i have taskmanager log files which has the events like

Mon Jun 25 00:00:30 CDT 2012,DistributedEvaluation,START

Mon Jun 25 00:00:30 CDT 2012,DistributedEvaluation,COMPLETION: Succeeded

Mon Jun 25 00:05:13 CDT 2012,DealStatusUpdate,START

Mon Jun 25 00:05:13 CDT 2012,DealStatusUpdate,Status : Completed with errors

Mon Jun 25 00:05:19 CDT 2012,AccquireGlobalLock,START

Mon Jun 25 00:05:19 CDT 2012,AccquireGlobalLock,COMPLETION : Completed with errors

i used the serach query like below to find the duration for the above three tasks

source="xxx"|transaction TaskAction startswith=START endswith=COMPLETION: OR Staus 😐

thanks in advance

poornima

but it showed me oly the duration for the Task has COMPLETION: and not for the Staus :

Tags (1)
0 Karma
Reply

Ayn
Legend
‎11-07-2012 05:15 AM

I see a couple of problems in your search.

First of all your logs use the string "Status :", not "Staus :" which you seem to be using. Where the ending pipe (Status :|) comes from I don't understand at all. So, even if you were using the correct syntax for transaction (which you are not, see below) you have errors there that would cause it not to work as you want.

Most importantly, you're using the wrong syntax. You're saying "endswith=COMPLETION: OR Staus:|", which I interpret as that you want the endswith condition to cover either the string "COMPLETION:" or "Staus :". This is not how transaction interprets it. It sees the endswith=COMPLETION:, then three totally separate terms - "OR", "Staus" and ":". Terms that aren't connected to an argument are interpreted as fields that it should use when building transactions.

To match endswith on multiple strings, you need to use an eval expression instead. Based on your sample input I'd do something like:

... | transaction TaskAction startswith=START endswith=eval(match(_raw,"COMPLETION:") OR match(_raw,"Status :"))

Docs on transaction: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

Reply

kbaden
Explorer
‎12-12-2016 10:21 PM

This was excellent!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...