Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Transaction Command

splunkpoornima
Communicator
‎11-07-2012 04:32 AM

hi all

i have taskmanager log files which has the events like

Mon Jun 25 00:00:30 CDT 2012,DistributedEvaluation,START

Mon Jun 25 00:00:30 CDT 2012,DistributedEvaluation,COMPLETION: Succeeded

Mon Jun 25 00:05:13 CDT 2012,DealStatusUpdate,START

Mon Jun 25 00:05:13 CDT 2012,DealStatusUpdate,Status : Completed with errors

Mon Jun 25 00:05:19 CDT 2012,AccquireGlobalLock,START

Mon Jun 25 00:05:19 CDT 2012,AccquireGlobalLock,COMPLETION : Completed with errors

i used the serach query like below to find the duration for the above three tasks

source="xxx"|transaction TaskAction startswith=START endswith=COMPLETION: OR Staus 😐

thanks in advance

poornima

but it showed me oly the duration for the Task has COMPLETION: and not for the Staus :

Tags (1)
0 Karma
Reply

Ayn
Legend
‎11-07-2012 05:15 AM

I see a couple of problems in your search.

First of all your logs use the string "Status :", not "Staus :" which you seem to be using. Where the ending pipe (Status :|) comes from I don't understand at all. So, even if you were using the correct syntax for transaction (which you are not, see below) you have errors there that would cause it not to work as you want.

Most importantly, you're using the wrong syntax. You're saying "endswith=COMPLETION: OR Staus:|", which I interpret as that you want the endswith condition to cover either the string "COMPLETION:" or "Staus :". This is not how transaction interprets it. It sees the endswith=COMPLETION:, then three totally separate terms - "OR", "Staus" and ":". Terms that aren't connected to an argument are interpreted as fields that it should use when building transactions.

To match endswith on multiple strings, you need to use an eval expression instead. Based on your sample input I'd do something like:

... | transaction TaskAction startswith=START endswith=eval(match(_raw,"COMPLETION:") OR match(_raw,"Status :"))

Docs on transaction: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

Reply

kbaden
Explorer
‎12-12-2016 10:21 PM

This was excellent!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...