Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When using Transaction command startswith and endswith,if field value is same for both ,null is shown for endswith

mythili
Explorer
3 weeks ago

Hi All,

I am using transaction command to group events and get stop time of a device. 
| transaction sys_id startswith="START" endswith="STOP"
| eval stop_time=strftime(mvindex(sys_time,1), "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time

However, when a field has same value for startswith and endswith, (for example, sys_time is same for both) then, mvindex(sys_time,1) is empty whereas mvindex(sys_time,0) gives the value.  If the values are different, then it works fine.

Does anyone have any idea on this behavior and on how to work around this to get the value regardless?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
3 weeks ago

Hi @mythili ,

you could use an eval command to have the timestamp of the second event:

| eval stop_time=strftime(_time+duration, "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time

that runs also with events with the same timestamp.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
3 weeks ago

Hi @mythili ,

why do you need mvindex, if you want to take the first timestamp of the trandaction?

usually the transaction command takes as timestamp the one from the first event in the correlated events.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mythili
Explorer
3 weeks ago

Hi @gcusello,

I need the timestamp of the 2nd event in the transaction, i.e, the stop time.  When it showed empty value, I tested getting both the values and noticed this behavior.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
3 weeks ago

Hi @mythili ,

you could use an eval command to have the timestamp of the second event:

| eval stop_time=strftime(_time+duration, "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time

that runs also with events with the same timestamp.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

mythili
Explorer
3 weeks ago

Hi @gcusello,

Thanks for the suggestion. This work-around works for me. But any idea regarding this behavior? Is this a known issue from Splunk?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
3 weeks ago

Hi @mythili,

sincerely I don't know.

You could open a case to Splunk Support to have an answer or to notice a possible bug.

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...