Splunk Search

What are transaction evicted and orphaned events?

frbuser
Path Finder

In regards to the transaction command, what are orphaned events and evicted events?

Is there a way to filter out logs which were not combined with other logs after using the transaction command?

0 Karma

to4kawa
Ultra Champion
index=_internal sourcetype=splunkd earliest=-5m
| transaction group keeporphans=f

keeporphans controls there is transaction group OR not. try and see the result with keeporphans=f and keeporphans=t
keepevicted controls events outside the range specified by options.

see The 'closed_txn' field is set to '1' if one of the following conditions is met: maxevents, maxpause, maxspan, startswith. For startswith, because the transaction command sees events in reverse time order, it closes a transaction when it satisfies the start condition.
sorry, I can't create example.

0 Karma

frbuser
Path Finder

so keeporphans will keep logs that were NOT grouped together in the results?

0 Karma

to4kawa
Ultra Champion

do you check true or false?

0 Karma

frbuser
Path Finder

yes I still see events that show up in the results where linecount=1. So that still doesn't answer my Q as it seems events which have not been grouped still show up in the results whether true or false.

0 Karma

to4kawa
Ultra Champion

keeporphans
true : linecount=1 counts 175
false: linecount=1 count 2

this is my results. maybe, yours too.
keeporphans controls there is transaction group OR not.
sorry, My english may be a bit strange.

0 Karma

frbuser
Path Finder

in my case, the results are the same, meaning I get the same number of events regardless of if keeporphans is true or false. I am only using transaction on one field.

How are you defining a "transaction group"?

0 Karma

to4kawa
Ultra Champion
 index=_internal sourcetype=splunkd earliest=-5m
 | transaction group keeporphans=f

In sourcetype=splunkd event, There may or may not be the group field.
If there is not group field. keeporphans=f can't display events .
but keeporphans=t , it can display events.

0 Karma

frbuser
Path Finder

OK so the way I would describe that is orphaned events are logs which don't contain the transaction field(s).

Do you know how to filter out the events that weren't combined other than using linecount>2?

0 Karma

to4kawa
Ultra Champion

there is many ways.

0 Karma

frbuser
Path Finder

there are* many ways.

0 Karma

vnakra_splunk
Splunk Employee
Splunk Employee
0 Karma

frbuser
Path Finder

it's not clear from this what they are. It only tells you how to keep them. Orphans sounds like events that aren't in transactions. But it's not clear under what circumstances this happens.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...