Splunk Search

Unable to Get Transaction Command to Work Past Three Days

davespatz
Explorer

Ok so just upgraded my F5 APM (VPN server) in order to support Windows 10. Asked IT people to test on their Windows 10 machines and now just need to follow up on how many users actually tested. So each VPN session has a unique apm_session_id. I do a transaction on that ID to group all the sessions into one event then filter from there as per below. Good news is that the search below works great if I look at the last three days - specifically, it gives me back two results showing Win10 and a UID (one on November 13th and another today, November 15th). Bad news is that I simply change the date range to say all of last week (which includes Fridays) and NOTHING comes back, specifically "No results found."! It should have found Fridays at least but now finds nothing?

I tried using maxevents=999999999 or maxevents=-1 keepevicted, etc. and nothing works. Any ideas? I just need to run this same search (that works just fine over a 2-3 days) over a period of two weeks. What gives?

Search:

host=renamed-apm-host | transaction apm_session_id | search cplatform=Win10 | stats count by apm_uid cplatform
0 Karma

lguinn2
Legend

The transaction command is probably running out of memory. Maybe you should try an alternate search:

host=renamed-apm-host cplatform=Win10 
| stats count by apm_uid cplatform

Will this work? It should be loads faster...

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...