Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Transaction command not working as expected?

indeed_2000
Motivator
‎05-30-2022 10:39 AM

I encounter with strange issue when i use transaction and at the end sort by duration it show highest duration is 15000 but when i remove transaction it show 17000 as highest duration!!!

FYI1:correct value is 17000 and there is no special filter exist here!

FYI2:duration directly print in log i just use transaction to aggregate two lines.

 

Here is with transaction command:

| rex "actionName.*\.(?\w+\.\w+)\]" | rex "duration\[(?\d+)" | rex "transactionId\[(?\w+-\w+-\w+-\w+-\w+)" |transaction transactionId | sort - duration | table duration actionName username

 

Here is without transaction:

| rex "actionName.*\.(?\w+\.\w+)\]" | rex "duration\[(?\d+)" | rex "transactionId\[(?\w+-\w+-\w+-\w+-\w+)" | sort - duration | table duration actionName username

 

Here is the log:
2022-05-30 12:39:34,262 INFO  [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] parameters[] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] username[ABC] startTime[1653898174262]

2022-05-30 12:42:26,109 INFO  [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] duration[171847] status[done]

 

any idea?

Thanks

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2022 11:14 PM

duration is a field that is (also) generated by the transaction command so the value you are extracting from the event (with rex) is getting overridden by the transaction command - try a different field name - even capitalising might work

 |  rex "actionName\[(\w+\.)*\.(?<actionName>\w+\.\w+)\]" | rex "duration\[(?<Duration>\d+)"
 | rex "transactionId\[(?<transactionId>\w+-\w+-\w+-\w+-\w+)"
 | transaction transactionId | sort - Duration
 | table Duration actionName username

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2022 11:14 PM

duration is a field that is (also) generated by the transaction command so the value you are extracting from the event (with rex) is getting overridden by the transaction command - try a different field name - even capitalising might work

 |  rex "actionName\[(\w+\.)*\.(?<actionName>\w+\.\w+)\]" | rex "duration\[(?<Duration>\d+)"
 | rex "transactionId\[(?<transactionId>\w+-\w+-\w+-\w+-\w+)"
 | transaction transactionId | sort - Duration
 | table Duration actionName username
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...