Re: What are transaction evicted and orphaned even...

frbuser · ‎03-26-2020

In regards to the transaction command, what are orphaned events and evicted events?

Is there a way to filter out logs which were not combined with other logs after using the transaction command?

to4kawa · ‎03-27-2020

index=_internal sourcetype=splunkd earliest=-5m
| transaction group keeporphans=f

keeporphans controls there is transaction group OR not. try and see the result with keeporphans=f and keeporphans=t
keepevicted controls events outside the range specified by options.

see The 'closed_txn' field is set to '1' if one of the following conditions is met: maxevents, maxpause, maxspan, startswith. For startswith, because the transaction command sees events in reverse time order, it closes a transaction when it satisfies the start condition.
sorry, I can't create example.

frbuser · ‎03-30-2020

so keeporphans will keep logs that were NOT grouped together in the results?

to4kawa · ‎03-30-2020

do you check true or false?

frbuser · ‎03-30-2020

yes I still see events that show up in the results where linecount=1. So that still doesn't answer my Q as it seems events which have not been grouped still show up in the results whether true or false.

to4kawa · ‎03-30-2020

keeporphans
true : linecount=1 counts 175
false: linecount=1 count 2

this is my results. maybe, yours too.
keeporphans controls there is transaction group OR not.
sorry, My english may be a bit strange.

frbuser · ‎03-30-2020

in my case, the results are the same, meaning I get the same number of events regardless of if keeporphans is true or false. I am only using transaction on one field.

How are you defining a "transaction group"?

to4kawa · ‎03-30-2020

 index=_internal sourcetype=splunkd earliest=-5m
 | transaction group keeporphans=f

In sourcetype=splunkd event, There may or may not be the group field.
If there is not group field. keeporphans=f can't display events .
but keeporphans=t , it can display events.

frbuser · ‎03-30-2020

OK so the way I would describe that is orphaned events are logs which don't contain the transaction field(s).

Do you know how to filter out the events that weren't combined other than using linecount>2?

to4kawa · ‎03-30-2020

there is many ways.

frbuser · ‎03-30-2020

there are* many ways.

vnakra_splunk · ‎03-26-2020

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction - describes orphans and evictions.

frbuser · ‎03-26-2020

it's not clear from this what they are. It only tells you how to keep them. Orphans sounds like events that aren't in transactions. But it's not clear under what circumstances this happens.

What are transaction evicted and orphaned events?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation