When I run the below command, it returns some of the grouped events, but not all of them. It will not return the most recent events.
If I change to earliest=-1d
, it returns events (more recent) than that of earliest=-2d
. I thought all events up to the current time should be returned with -2d
or -1d
. In other words, -2d
should return 2 days worth, -1d
should return 1 day worth, but all events returned from -1d
should be returned with -2d
, right?
index="personalizedoffer" earliest=-2d (XML_INPUT_LOGGER AND offerInquiryRequest) OR "EnVisionResponse version" | xmlkv | fields _time clientId | transaction clientId
Hello @riotto,
To return all the events that are not part of the grouped transactions, use the attribute
keeporphans=true
More examples: http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Transaction
Syntax: .....|transactions startswith=Start endswith=Ends keeporphaned=true
....will return loose events. Also, look at the option keepevicted=true
from the same docs link.
As far as the -2d and -1d questions is concerned, are you missing any large subset of events?
Hope this helps!
Thanks,,
Raghav
Yes, it is missing the most recent events that are part of the grouped transaction. My question about -1d and -2d is that -2d should be inclusive of -1d, but appears not to be. The search is grouping events (there are only two events in a group. I want only the groups that have a duration of > 5. There are groups that meet the criteria for today and are returned with -1d, but not with -2d...make sense?
is it possible that it's returning lots of data? There is a limit on open transactions that can be returned. Please take a look at this answer
https://answers.splunk.com/answers/186106/is-there-a-limit-on-the-number-of-events-returned.html
Thanks,
Raghav