Splunk Search

Why does an eventstats before a transaction with no maxspan display results immediately?

New Member

I have noticed some weird behavior that I don't understand when using the transaction command. If I don't specify a maxspan for the transaction command the results aren't displayed until Splunk is finished gathering data within the timeframe specified for the search. If I add an "eventstats count by anyfieldavailable" (or any stats-func other than count) before the transaction it displays results immediately and updates the events in each transaction as it's walking through the data.

I noticed this on a query I built to help ease reading our mail logs.

If I search for this:

index="main" sourcetype="postfix_syslog" | eval from=replace(from,"(<|>)","") | eval to=replace(to,"(<|>)","") | rex "\]:\s(?\w+):" | rex "status=\w+\s\((?<status_message>.*)\)" | where sessionId != "NOQUEUE" | eval status=if(match(_raw, "discard"),"discard",status) | eval timestamp=strftime(_time, "%Y-%m-%d %H:%M") | eventstats count by sessionId | transaction sessionId | where isnotnull(to) | table timestamp from to status sessionId client host

It displays the table and immediately starts populating it.

If I search for this:

index="main" sourcetype="postfix_syslog" | eval from=replace(from,"(<|>)","") | eval to=replace(to,"(<|>)","") | rex "\]:\s(?\w+):" | rex "status=\w+\s\((?<status_message>.*)\)" | where sessionId != "NOQUEUE" | eval status=if(match(_raw, "discard"),"discard",status) | eval timestamp=strftime(_time, "%Y-%m-%d %H:%M") | transaction sessionId | where isnotnull(to) | table timestamp from to status sessionId client host

It doesn't display anything until it has finished searching through the desired timeframe.

My theory is that it has something to do with the "...and save them as values in new fields." part of the eventstats description from the manual. I've poked around the manual and Splunk Base trying to figure out what's going on but am having no luck finding any information.

I'm hoping someone will be able to answer two questions:

  1. Why is this happening?
  2. Is there another (optimal) way to mimic the behavior caused by having the eventstats before the transaction?
0 Karma

New Member
  1. I believe it returns results immediately because the eventstats command will group incoming events (those being read in), so the transaction command doesn't have to wait for additional events, it simply has a single event per sessionId that keeps getting updated. Without eventstats, the transaction command has to wait for incoming events before it can group them into a transaction.

  2. Would it be acceptable to provide a maxspan or maxpause to the transaction command? That would enable it to return results because it could finalize transactions before reading in all of the incoming events.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!