Splunk Search

Why is the transaction command with maxspan not giving accurate results?

Communicator

Hi,

I have some transactions which have taken 3 hours to complete. When I use maxspan=90m, my transaction is breaking in to 2 different transactions (1 transaction is showing 2 different transactions) and giving results 1500. I changed maxspan=3h, but it is not giving all results, only 200; Transaction is not breaking, but I'm missing transactions where the the transaction time is less than 90m

Can any one help me to do this?

Thanks & Regards

Tags (2)
1 Solution

Communicator

Hi,

I got the answer for this issue. I have used startwith and endswith with maxspan=3h. if you dont have startwith and endswith if you increase the maxspan will get less results.

Thanks

View solution in original post

0 Karma

Communicator

Hi,

I got the answer for this issue. I have used startwith and endswith with maxspan=3h. if you dont have startwith and endswith if you increase the maxspan will get less results.

Thanks

View solution in original post

0 Karma

Esteemed Legend

The website trashed some of your search text (the name of the extracted field) but I assume that it was supposed to extract Status. If so, then perhaps this will get you started enough to finish on your own:

index=ibm sourcetype="AService" host=ABC
| rex "Logger - [(?<Status>.*)] - "
| eventstats values(AutoActivateId) AS AutoActivateIds by host
| stats earliest(_time) AS firstTime latest(_time) AS latestTime list(_raw) AS events values(*) AS * by host
0 Karma

Communicator

Thanks for your response. I am extracting AutoActivateId not Status, anyway I will try this and get back to you.

Thank you

0 Karma

Esteemed Legend

The transaction command's documentation is somewhat vague about it but when it consumes the maximum amount of memory possible, it will drop all further work and present what it has at that moment WITHOUT ANY INDICATION THAT IT IS INCOMPLETE. This is the reason that I try to avoid using it it all costs.

0 Karma

Communicator

Thank you for your response; is there any other command to get all transactions. Please help me how to do this without transaction command

Thanks in advance

0 Karma

Legend

The performance and results of the transaction command can vary widely depending on the number of events. How many events are being piped into the transaction command?

0 Karma

SplunkTrust
SplunkTrust

Can you provide some sample data and current search that you're using?

0 Karma

Communicator

hi,

Thank you for your quick response.

in my data most of the transactions are completed with in 15 minutes of time only few of them are taken more than 3 hours time. If I will take the maxspan=90m I am getting all the transactions in a given period (I got 2000 rows) but where the transaction time is more than 3 hours that transaction splited in to two transactions with same AutoActivateId (this AutoActivateId is unique for each transaction). Then I changed to maxspan=3h its not giving all results giving only lessthan 50% of the above results (its giving only 800 when I changed to maxspan=3h).

example if a transaction of AutoActivateId = 123 started at 8:00AM on 10th October 2015 and ended at 11:00AM on 10th October 2015 I am getting the results like

_time AutoActivateId host Status
10-10-2015 8:00 123 ABC Not Completed
10-10-2015 9:31 123 ABC Completed

I know Why this transaction splited in to two transactions I have gien maxspan=90m after 90 minutes splunk is considering as a new transaction and giving as new transaction and the status of the transaction also showing different values. when I changed maxspan to 3 hours this transaction showing as one transaction but missing some other transaction.

Hope I explained my problem properly

below is the query which I used:

index=ibm sourcetype="AService" host=ABC
|rex field=_raw "Logger - [(?.*)] - "
|transaction AutoActivateId host maxevents=-1 maxspan=90m
|table _time, AutoActivateId, host, Status

Thanks & Regards

0 Karma

Communicator

Any help for my query

0 Karma