Splunk Search

When using Transaction command startswith and endswith,if field value is same for both ,null is shown for endswith

mythili
Explorer

Hi All,

I am using transaction command to group events and get stop time of a device. 
| transaction sys_id startswith="START" endswith="STOP"
| eval stop_time=strftime(mvindex(sys_time,1), "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time

However, when a field has same value for startswith and endswith, (for example, sys_time is same for both) then, mvindex(sys_time,1) is empty whereas mvindex(sys_time,0) gives the value.  If the values are different, then it works fine.

Does anyone have any idea on this behavior and on how to work around this to get the value regardless?

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @mythili ,

you could use an eval command to have the timestamp of the second event:

| eval stop_time=strftime(_time+duration, "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time

that runs also with events with the same timestamp.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @mythili ,

why do you need mvindex, if you want to take the first timestamp of the trandaction?

usually the transaction command takes as timestamp the one from the first event in the correlated events.

Ciao.

Giuseppe

0 Karma

mythili
Explorer

Hi @gcusello,

I need the timestamp of the 2nd event in the transaction, i.e, the stop time.  When it showed empty value, I tested getting both the values and noticed this behavior.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mythili ,

you could use an eval command to have the timestamp of the second event:

| eval stop_time=strftime(_time+duration, "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time

that runs also with events with the same timestamp.

Ciao.

Giuseppe

mythili
Explorer

Hi @gcusello,

Thanks for the suggestion. This work-around works for me. But any idea regarding this behavior? Is this a known issue from Splunk?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mythili,

sincerely I don't know.

You could open a case to Splunk Support to have an answer or to notice a possible bug.

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...