Solved: Re: Transaction Events Issue

jberlin · ‎10-11-2013

My search is partially working in the aspect that it returns event data, however all of the events are mashed into one and the duration is calculated off the first event and the last event.

Search Command:
(index=jjj host=server OR host=server2 (inbound OR outbound)) | xmlkv | table _time, host, TokenId, inbound, outbound, _raw | transaction TokenId | search TokenId="$tokenId$"

I would like to the returned data to show each event as they occur or inbound event and outbound event for 1 duration time. Then move on to the next event and so on.

jb

jberlin · ‎10-28-2013

Adding maxspan and maxpause to the transaction resolved the problem.

View solution in original post

jberlin · ‎10-28-2013

Adding maxspan and maxpause to the transaction resolved the problem.

lguinn2 · ‎10-14-2013

Don't use the transaction command, then. It might also be helpful if you explained your data a little more. What do you mean "for 1 duration time"? What exactly do you want the output to look like?

In the meantime, I suggest this:

(index=jjj host=server OR host=server2 (inbound OR outbound)) "$tokenId$" 
| xmlkv 
| search TokenId="$tokenId$"
| table  _time, host, TokenId, inbound, outbound, _raw

Transaction Events Issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation