Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transaction Command

splunkpoornima
Communicator
‎11-07-2012 04:32 AM

hi all

i have taskmanager log files which has the events like

Mon Jun 25 00:00:30 CDT 2012,DistributedEvaluation,START

Mon Jun 25 00:00:30 CDT 2012,DistributedEvaluation,COMPLETION: Succeeded

Mon Jun 25 00:05:13 CDT 2012,DealStatusUpdate,START

Mon Jun 25 00:05:13 CDT 2012,DealStatusUpdate,Status : Completed with errors

Mon Jun 25 00:05:19 CDT 2012,AccquireGlobalLock,START

Mon Jun 25 00:05:19 CDT 2012,AccquireGlobalLock,COMPLETION : Completed with errors

i used the serach query like below to find the duration for the above three tasks

source="xxx"|transaction TaskAction startswith=START endswith=COMPLETION: OR Staus 😐

thanks in advance

poornima

but it showed me oly the duration for the Task has COMPLETION: and not for the Staus :

Tags (1)
0 Karma
Reply

Ayn
Legend
‎11-07-2012 05:15 AM

I see a couple of problems in your search.

First of all your logs use the string "Status :", not "Staus :" which you seem to be using. Where the ending pipe (Status :|) comes from I don't understand at all. So, even if you were using the correct syntax for transaction (which you are not, see below) you have errors there that would cause it not to work as you want.

Most importantly, you're using the wrong syntax. You're saying "endswith=COMPLETION: OR Staus:|", which I interpret as that you want the endswith condition to cover either the string "COMPLETION:" or "Staus :". This is not how transaction interprets it. It sees the endswith=COMPLETION:, then three totally separate terms - "OR", "Staus" and ":". Terms that aren't connected to an argument are interpreted as fields that it should use when building transactions.

To match endswith on multiple strings, you need to use an eval expression instead. Based on your sample input I'd do something like:

... | transaction TaskAction startswith=START endswith=eval(match(_raw,"COMPLETION:") OR match(_raw,"Status :"))

Docs on transaction: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

Reply

kbaden
Explorer
‎12-12-2016 10:21 PM

This was excellent!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...