Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When using Transaction command startswith and endswith,if field value is same for both ,null is shown for endswith

mythili
Explorer
‎05-23-2024 10:28 PM

Hi All,

I am using transaction command to group events and get stop time of a device. 
| transaction sys_id startswith="START" endswith="STOP"
| eval stop_time=strftime(mvindex(sys_time,1), "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time

However, when a field has same value for startswith and endswith, (for example, sys_time is same for both) then, mvindex(sys_time,1) is empty whereas mvindex(sys_time,0) gives the value.  If the values are different, then it works fine.

Does anyone have any idea on this behavior and on how to work around this to get the value regardless?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-23-2024 11:02 PM

Hi @mythili ,

you could use an eval command to have the timestamp of the second event:

| eval stop_time=strftime(_time+duration, "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time

that runs also with events with the same timestamp.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-23-2024 10:40 PM

Hi @mythili ,

why do you need mvindex, if you want to take the first timestamp of the trandaction?

usually the transaction command takes as timestamp the one from the first event in the correlated events.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mythili
Explorer
‎05-23-2024 10:56 PM

Hi @gcusello,

I need the timestamp of the 2nd event in the transaction, i.e, the stop time.  When it showed empty value, I tested getting both the values and noticed this behavior.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-23-2024 11:02 PM

Hi @mythili ,

you could use an eval command to have the timestamp of the second event:

| eval stop_time=strftime(_time+duration, "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time

that runs also with events with the same timestamp.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

mythili
Explorer
‎05-24-2024 12:43 AM

Hi @gcusello,

Thanks for the suggestion. This work-around works for me. But any idea regarding this behavior? Is this a known issue from Splunk?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-24-2024 12:47 AM

Hi @mythili,

sincerely I don't know.

You could open a case to Splunk Support to have an answer or to notice a possible bug.

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...