I'm unable to list the transactions that have events matching with startWith clause but no events for endsWith clause (I'm using the keepevicted=t option aswell). I have a simplified file with only one event to test this:
2010-05-21 09:25:00 : (2314) : Calling function fetchTask
| rex field=message "Calling function (?<repFunction>.[a-zA-Z]+)" | rex field=message "Completed calling function (?<repFunction>.[a-zA-Z]+)" | transaction thread_name repFunction startsWith=(message="Calling function*") endsWith=(message="Completed calling function*") keepevicted=t
If I add the endsWith event as below, then I get the closed transaction result as expected.
2010-05-21 09:25:03 : (2314) : Completed calling function fetchTask
I'm not sure if I've missed anything here. Any pointers to list the open transaction would be appreciated.
Thanks, Krishna R
EXTRACT-serviceLog2 = \s:\s\((?P<thread_name>[^ ]*)\)\s:\s(?P<message>[^\r\n]*)
This is an outstanding issue (SPL-31786) scheduled to be fixed in our next maintenance release (4.1.4)
In the meantime the following search will identify incomplete transactions:
... | rex field=message " function (?<repFunction>.[a-zA-Z]+)" | transaction thread_name repFunction startswith=(message="Calling function*") keepevicted=t | search NOT message="Completed calling function*"
Have you tried letting off the
endswith message then building your own complete/not-complete field with an eval.
Try something like this:
| rex field=message " function (?<repFunction>.[a-zA-Z]+)" | transaction thread_name repFunction startswith=(message="Calling function*") keepevicted=t | eval my_close_txn=searchmatch("Completed",1,0)
dropping endswith didn't help (I tried the exact one you pasted) resulted 0 transactions.
i added keepevicted=t, it returned 1 transaction but closed_txn was 1. (I expected it to be 0 - to mark the transaction as open)