Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are my two search queries not working with the transaction command?

sjanwity
Communicator
‎10-22-2014 08:05 AM

I have a splunk query which takes data out of a database and tries to perform transaction on it. I've discovered something very odd about this.

If I were to run this command:

| dbquery "DB" "select * from gdh" | eval _time=UPDATE_TIME | transaction TYPE_NAME FIELD_NAME OBJECT_KEY keeporphans=true maxspan=1s maxpause=1s maxevents=2 | sort TYPE_NAME OBJECT_KEY FIELD_NAME

I should get the same result as running these 2 queries:

| dbquery "DB" "select * from gdh" | eval _time=UPDATE_TIME | collect index=summary

then do: 

index=summary | transaction TYPE_NAME FIELD_NAME OBJECT_KEY keeporphans=true maxspan=1s maxpause=1s maxevents=2 | table [the result set]  | sort TYPE_NAME OBJECT_KEY FIELD_NAME

I should get the same results, yes? The former query is simply an appendation of the latter 2 without the use of an index. They both do eval _time=UPDATE_TIME. So shouldn't they be exactly the same?

For some reason they aren't. The former query gives me a table where the transaction command falls apart - sometimes it would be grouping up rows correctly, sometimes it wasn't - and leading me on a week long goose chase on why transaction isn't working as it should, but other commands like stat gave the expected result.

Does anyone know why?

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-23-2014 02:33 PM

That should increase your chances, yeah.

0 Karma
Reply

sjanwity
Communicator
‎10-28-2014 09:37 AM

but it still doesn't work 100%. The problem here I think is that Splunk doesn't recognize the timestamp field even if you explicitly set it so using eval. Maybe this should be a bug report?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-22-2014 01:47 PM

Does your dbquery return events in the proper descending time order? That's where I suspect a difference, shoving it all in a summary index and then searching on that will implicitly order the events by time.

0 Karma
Reply

sjanwity
Communicator
‎10-23-2014 01:50 AM

so if I sort my dbquery by UPDATE_TIME before transacting it I should get the expected input?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...