Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transactions events at the same second

aohls
Contributor
‎06-06-2019 05:48 AM

I am using the transaction command to identify if a report runs over a certain time. Below is my search:

| transaction startswith="Start" endswith="Finish" keeporphans=true
| where _txn_orphan=1

This primarily is working except there seem to be some false positives. If a report runs and finishes within the same second (which happens if a user forgets a parameter) Splunk is still counting it as orphaned, so _txn_orphan is still 1 but it should be 0 since it actually completed. Has anyone run into this and have a better way or workaround for this?

0 Karma
Reply

DavidHourani
Super Champion
‎06-06-2019 05:53 AM

Hi @aohls,

You can easily get rid of this by adding to your condition a minimum duration for the transaction. That way all those noisy transaction won't show anymore 🙂

Cheers,
David

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...