Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transaction failures

twinspop
Influencer
‎06-15-2010 06:17 PM

Trying to get a transaction search to work. The transaction is logged in 2 different log sources, with the matching field named differently in each. I use rename to match them up. The DXI events have CORRELATIONID, the sendMessage events have msgid.

I manually found 1 that I know exists and searched for its GUID explicitly, along with the 2 identifiers I'll use in the generic search, and piped them into transaction. The maxspan is 130m because the test transaction takes about 123m to complete.

(DXI OR sendMessage) 652F5692-5F3F-3434-F47B-180BA1CBDDEF | rename CORRELATIONID as msgid | transaction msgid keepevicted=true maxspan=130m

1 transaction returned with an eventcount of 2. Exactly the result I expected. Now let's remove the GUID and see all of them:

DXI OR sendMessage | rename CORRELATIONID as msgid | transaction msgid keepevicted=true maxspan=130m

Nope. Not even the test case above is matched. Same time frame searched. What am I missing? There are ~ 90k msgid matches in the target time frame. Too many to run a transaction against with defaults limits set?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-15-2010 07:42 PM

Yes. Try setting the maxopentxn parameter as a transaction argument. By default, it will only leave open 5000 transactions. Feel free to raise it to several hundred thousand or higher. You might also want to raise maxopenevents.

Also, if you just want the eventcount or some other fields in the events, rather than the full event, use stats:

 ... | stats count as evencount, max(_time) as endtime, min(_time) as starttime, first(otherfield) as otherfield by msgid

I'm assuming that since msgids are GUIDs, the maxspan doesn't matter at all, and could be infinite.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-15-2010 07:42 PM

Yes. Try setting the maxopentxn parameter as a transaction argument. By default, it will only leave open 5000 transactions. Feel free to raise it to several hundred thousand or higher. You might also want to raise maxopenevents.

Also, if you just want the eventcount or some other fields in the events, rather than the full event, use stats:

 ... | stats count as evencount, max(_time) as endtime, min(_time) as starttime, first(otherfield) as otherfield by msgid

I'm assuming that since msgids are GUIDs, the maxspan doesn't matter at all, and could be infinite.

Reply
Solved! Jump to solution

twinspop
Influencer
‎06-15-2010 08:47 PM

Excellent. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...