Splunk Search

Transaction command not closed properly

New Member

Hi, I need help with transaction command results.
I have the following input to transaction command:

eventID,"_time","start_time_formated",from,to
"d5f1b6d3-e711-4768-8938-85b22e7874ee","2019-05-29T15:28:37.000+0000","05/29/19 03:28:37 PM","class-A","class-B"
"82fa4200-e608-4220-b8c7-17533a4da494","2019-05-29T19:30:55.000+0000","05/29/19 07:30:55 PM","class-B","class-A"
"96a6bf68-ceed-4ba1-82c0-215cee7465d3","2019-05-29T19:46:56.000+0000","05/29/19 07:46:56 PM","class-A","class-B"
"918adee8-5725-4dc3-8028-552be6716079","2019-05-29T22:30:43.000+0000","05/29/19 10:30:43 PM","class-B","class-A"
"4679dbe9-15d3-4a48-b0ab-6388d72d1f38","2019-05-30T06:20:27.000+0000","05/30/19 06:20:27 AM","class-A","class-B"
"70b91ce6-78fe-4f26-8c7a-bce01a273689","2019-05-30T08:45:41.000+0000","05/30/19 08:45:41 AM","class-B","class-A"
"e8ec879f-5024-4fcb-901d-da2a7ac377a7","2019-05-30T19:44:29.000+0000","05/30/19 07:44:29 PM","class-A","class-B"
"a607c492-49a5-4ee3-9862-46a583aa51c2","2019-05-30T22:00:56.000+0000","05/30/19 10:00:56 PM","class-B","class-A"
"ab1356e2-a18a-4988-9fe4-3fc7f1e1a345","2019-05-31T09:35:08.000+0000","05/31/19 09:35:08 AM","class-A","class-B"
"44318407-96cc-459b-b9b3-ece12cd13916","2019-05-31T09:35:41.000+0000","05/31/19 09:35:41 AM","class-A","class-B"

"4fb3811a-2ac2-46a3-b7c6-ea7106f21878","2019-06-01T04:16:03.000+0000","06/01/19 04:16:03 AM","class-B","class-A"
"d63558d6-c233-4ee3-adf8-66161a784c02","2019-06-03T12:02:01.000+0000","06/03/19 12:02:01 PM","class-A","class-B"
"dce54d12-0dff-4141-8908-ba854ae3255d","2019-06-03T17:02:20.000+0000","06/03/19 05:02:20 PM","class-B","class-A"
"a7c5341d-cc64-465b-a8a8-177646ae6032","2019-06-03T19:44:36.000+0000","06/03/19 07:44:36 PM","class-A","class-B"
"e4a42b0d-0851-4d0c-a88e-dd4ad14de8ab","2019-06-03T21:46:01.000+0000","06/03/19 09:46:01 PM","class-B","class-A"
"921124d4-a7a2-4322-a4cb-00012fb7d2b5","2019-06-04T12:26:03.000+0000","06/04/19 12:26:03 PM","class-A","class-B"
"e7c31f3c-0a7a-43fd-bbc9-1c22b1e6898e","2019-06-04T20:31:40.000+0000","06/04/19 08:31:40 PM","class-B","class-A"
"a1b43590-82ad-4ff6-adbf-0577fa8d734f","2019-06-04T20:53:20.000+0000","06/04/19 08:53:20 PM","class-A","class-B"
"f6335754-0b95-4cd1-8bd7-dd47aaff1de9","2019-06-05T22:00:51.000+0000","06/05/19 10:00:51 PM","class-B","class-A"
"c4b1d067-708d-4978-b49e-6a62b53a442b","2019-06-06T08:55:56.000+0000","06/06/19 08:55:56 AM","class-A","class-B"
"84970990-db0f-49c7-93bf-d8a86534585c","2019-06-06T13:00:44.000+0000","06/06/19 01:00:44 PM","class-B","class-A"
"60aeb407-f834-40cb-9e0f-7c826e773433","2019-06-06T16:13:50.000+0000","06/06/19 04:13:50 PM","class-A","class-B"
"b9cd8cc9-d806-4ca8-b9f2-5aeb73c28c44","2019-06-07T01:01:03.000+0000","06/07/19 01:01:03 AM","class-B","class-A"

See entries in bold above.
When I apply following transaction command:
(edited)

| transaction *some-field* startswith=(from="class-A") endswith=(from="class-B") unifyends=true maxevents=2  

Somehow I have two transactions from rows marked above. I would expect only one as the first one is not completed.
So, I would like to ignore transaction with transaction id ab1356e2-a18a-4988-9fe4-3fc7f1e1a345.
p.s. I'm not able to use maxopentxn or maxspan
p.p.s One of the "recognized" transaction starts with ab1356e2-a18a-4988-9fe4-3fc7f1e1a345 and ends with f6335754-0b95-4cd1-8bd7-dd47aaff1de9 , which is even more confusing.

Thanks.

0 Karma

Splunk Employee
Splunk Employee

You are using the from field as the key for your transaction, but then you are specifying startswith and endswith which are also referencing the from field. You need to use a field that will uniquely identify each transaction. The startswith and endswith should be identifying the beginning event and ending event for that transaction.

0 Karma

New Member

Sorry, that was my mistake in editing (so not actually the issue). I've slightly changed the query so that it's more clear in the post 😕
Transaction command should be something like
transaction startswith=(from="class-A") endswith=(from="class-B") unifyends=true maxevents=2

And it's actually working except that it has one additional transaction generated out of event "ab1356e2-a18a-4988-9fe4-3fc7f1e1a345"

I updated the question

0 Karma

Splunk Employee
Splunk Employee

This version is missing the field you want to key off of.

0 Karma

New Member

OK , let's try this way.
Exact command is
source="cloud_trail" index=index_name

| transaction instanceIdentifier startswith=(toClass="class-A") endswith=(toClass="class-B") unifyends=true
| eval starttime=_time | eval endtime=_time+duration
| eval start_time_formated=strftime(starttime,"%x %r")
| eval end_time_formated=strftime(endtime,"%x %r")
| eval tr_duration = duration * 1000
| eval class="class-A"
| table _time instanceIdentifier class tr_duration

After visualisation it looks similar to the one attached alt text. The problematic behaviour is surrounded in red. Whenever I have "duplicated" event it causes that transaction is not closed and then I do get graphs similar go below.

p.s. the image is not visualised in my browser , you can find it here https://drive.google.com/file/d/18m6lQRw9NfXAFYwV-IOW6QLoOrfwuvg5/view?usp=sharing

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!