I am doing the labs for Fundamentals Part 2 and I am not understanding something
I have to use the startswith and endswith options of the transaction command to display transactions that
begin with an addtocart action and end with a purchase action.
The end result should look like this
The successful query for that is
index=web sourcetype=access_combined
| transaction clientip startswith=action="addtocart" endswith=action="purchase"
| table clientip, JSESSIONID, product_name, action, duration, eventcount, price
However, when I try the following query
index=web sourcetype=access_combined
| transaction clientip startswith="addtocart" endswith="purchase"
| table clientip, JSESSIONID, product_name, action, duration, eventcount, price
the output (shown below) I get is not correct
I am interested to know why omitting the "action" filter with startswith and endswith give me a different result and doesn't group them anymore?
Thank you in advance for your help
Hello, you are right. Thanks a lot for your time.
I think I have figured it out.
When I try the following command
index=web sourcetype=access_combined
| transaction clientip startswith="addtocart" endswith="purchase"
| table clientip, JSESSIONID, product_name, action, duration, eventcount, price
Splunk is grouping any event where the string "addtocart" comes before the string "purchase", regardless if those events are the values of the action field or not.
That's why, in the screenshot in the action column, I still see entries which have only "purchase" and this is what confused me because I could not understand why isn't there an "addtocart" too in that column for the same transaction.
However, when we specify startswith=action="addtocart", we make it clear we only want events where the action field starts and end with those values.
Your comment and some goofing around (screenshot below) helped made it clear for me
