Splunk Search

What are transaction evicted and orphaned events?

Path Finder

In regards to the transaction command, what are orphaned events and evicted events?

Is there a way to filter out logs which were not combined with other logs after using the transaction command?

0 Karma

SplunkTrust
SplunkTrust
index=_internal sourcetype=splunkd earliest=-5m
| transaction group keeporphans=f

keeporphans controls there is transaction group OR not. try and see the result with keeporphans=f and keeporphans=t
keepevicted controls events outside the range specified by options.

see The 'closed_txn' field is set to '1' if one of the following conditions is met: maxevents, maxpause, maxspan, startswith. For startswith, because the transaction command sees events in reverse time order, it closes a transaction when it satisfies the start condition.
sorry, I can't create example.

0 Karma

Path Finder

so keeporphans will keep logs that were NOT grouped together in the results?

0 Karma

SplunkTrust
SplunkTrust

do you check true or false?

0 Karma

Path Finder

yes I still see events that show up in the results where linecount=1. So that still doesn't answer my Q as it seems events which have not been grouped still show up in the results whether true or false.

0 Karma

SplunkTrust
SplunkTrust

keeporphans
true : linecount=1 counts 175
false: linecount=1 count 2

this is my results. maybe, yours too.
keeporphans controls there is transaction group OR not.
sorry, My english may be a bit strange.

0 Karma

Path Finder

in my case, the results are the same, meaning I get the same number of events regardless of if keeporphans is true or false. I am only using transaction on one field.

How are you defining a "transaction group"?

0 Karma

SplunkTrust
SplunkTrust
 index=_internal sourcetype=splunkd earliest=-5m
 | transaction group keeporphans=f

In sourcetype=splunkd event, There may or may not be the group field.
If there is not group field. keeporphans=f can't display events .
but keeporphans=t , it can display events.

0 Karma

Path Finder

OK so the way I would describe that is orphaned events are logs which don't contain the transaction field(s).

Do you know how to filter out the events that weren't combined other than using linecount>2?

0 Karma

SplunkTrust
SplunkTrust

there is many ways.

0 Karma

Path Finder

there are* many ways.

0 Karma

Splunk Employee
Splunk Employee
0 Karma

Path Finder

it's not clear from this what they are. It only tells you how to keep them. Orphans sounds like events that aren't in transactions. But it's not clear under what circumstances this happens.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!