Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are my two search queries not working with the transaction command?

sjanwity
Communicator
‎10-22-2014 08:05 AM

I have a splunk query which takes data out of a database and tries to perform transaction on it. I've discovered something very odd about this.

If I were to run this command:

| dbquery "DB" "select * from gdh" | eval _time=UPDATE_TIME | transaction TYPE_NAME FIELD_NAME OBJECT_KEY keeporphans=true maxspan=1s maxpause=1s maxevents=2 | sort TYPE_NAME OBJECT_KEY FIELD_NAME

I should get the same result as running these 2 queries:

| dbquery "DB" "select * from gdh" | eval _time=UPDATE_TIME | collect index=summary

then do: 

index=summary | transaction TYPE_NAME FIELD_NAME OBJECT_KEY keeporphans=true maxspan=1s maxpause=1s maxevents=2 | table [the result set]  | sort TYPE_NAME OBJECT_KEY FIELD_NAME

I should get the same results, yes? The former query is simply an appendation of the latter 2 without the use of an index. They both do eval _time=UPDATE_TIME. So shouldn't they be exactly the same?

For some reason they aren't. The former query gives me a table where the transaction command falls apart - sometimes it would be grouping up rows correctly, sometimes it wasn't - and leading me on a week long goose chase on why transaction isn't working as it should, but other commands like stat gave the expected result.

Does anyone know why?

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-23-2014 02:33 PM

That should increase your chances, yeah.

0 Karma
Reply

sjanwity
Communicator
‎10-28-2014 09:37 AM

but it still doesn't work 100%. The problem here I think is that Splunk doesn't recognize the timestamp field even if you explicitly set it so using eval. Maybe this should be a bug report?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-22-2014 01:47 PM

Does your dbquery return events in the proper descending time order? That's where I suspect a difference, shoving it all in a summary index and then searching on that will implicitly order the events by time.

0 Karma
Reply

sjanwity
Communicator
‎10-23-2014 01:50 AM

so if I sort my dbquery by UPDATE_TIME before transacting it I should get the expected input?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...