Splunk Search

Why is my transaction search with earliest=-2d not returning all grouped events?

riotto
Path Finder

When I run the below command, it returns some of the grouped events, but not all of them. It will not return the most recent events.
If I change to earliest=-1d, it returns events (more recent) than that of earliest=-2d. I thought all events up to the current time should be returned with -2d or -1d. In other words, -2d should return 2 days worth, -1d should return 1 day worth, but all events returned from -1d should be returned with -2d, right?

index="personalizedoffer" earliest=-2d (XML_INPUT_LOGGER AND offerInquiryRequest) OR "EnVisionResponse version"     | xmlkv  | fields _time clientId | transaction clientId
0 Karma

Raghav2384
Motivator

Hello @riotto,

To return all the events that are not part of the grouped transactions, use the attribute

keeporphans=true

More examples: http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Transaction

Syntax: .....|transactions startswith=Start endswith=Ends keeporphaned=true ....will return loose events. Also, look at the option keepevicted=true from the same docs link.

As far as the -2d and -1d questions is concerned, are you missing any large subset of events?

Hope this helps!

Thanks,,
Raghav

0 Karma

riotto
Path Finder

Yes, it is missing the most recent events that are part of the grouped transaction. My question about -1d and -2d is that -2d should be inclusive of -1d, but appears not to be. The search is grouping events (there are only two events in a group. I want only the groups that have a duration of > 5. There are groups that meet the criteria for today and are returned with -1d, but not with -2d...make sense?

0 Karma

Raghav2384
Motivator

is it possible that it's returning lots of data? There is a limit on open transactions that can be returned. Please take a look at this answer

https://answers.splunk.com/answers/186106/is-there-a-limit-on-the-number-of-events-returned.html

Thanks,
Raghav

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...