Splunk Search

Why is my transaction search with earliest=-2d not returning all grouped events?

Path Finder

When I run the below command, it returns some of the grouped events, but not all of them. It will not return the most recent events.
If I change to earliest=-1d, it returns events (more recent) than that of earliest=-2d. I thought all events up to the current time should be returned with -2d or -1d. In other words, -2d should return 2 days worth, -1d should return 1 day worth, but all events returned from -1d should be returned with -2d, right?

index="personalizedoffer" earliest=-2d (XML_INPUT_LOGGER AND offerInquiryRequest) OR "EnVisionResponse version"     | xmlkv  | fields _time clientId | transaction clientId
0 Karma
Highlighted

Re: Why is my transaction search with earliest=-2d not returning all grouped events?

Motivator

Hello @riotto,

To return all the events that are not part of the grouped transactions, use the attribute

keeporphans=true

More examples: http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Transaction

Syntax: .....|transactions startswith=Start endswith=Ends keeporphaned=true ....will return loose events. Also, look at the option keepevicted=true from the same docs link.

As far as the -2d and -1d questions is concerned, are you missing any large subset of events?

Hope this helps!

Thanks,,
Raghav

0 Karma
Highlighted

Re: Why is my transaction search with earliest=-2d not returning all grouped events?

Path Finder

Yes, it is missing the most recent events that are part of the grouped transaction. My question about -1d and -2d is that -2d should be inclusive of -1d, but appears not to be. The search is grouping events (there are only two events in a group. I want only the groups that have a duration of > 5. There are groups that meet the criteria for today and are returned with -1d, but not with -2d...make sense?

0 Karma
Highlighted

Re: Why is my transaction search with earliest=-2d not returning all grouped events?

Motivator

is it possible that it's returning lots of data? There is a limit on open transactions that can be returned. Please take a look at this answer

https://answers.splunk.com/answers/186106/is-there-a-limit-on-the-number-of-events-returned.html

Thanks,
Raghav

0 Karma