Splunk Search

how to find event that is outside a transaction

jgcsco
Path Finder

The transaction command has been helping me to correlate two events. Is there a way for me to find out the event that is not falling into the transaction?

event1, hostid
event2, hostid

|transaction hostid startswith=event1, endswith=event2

This will give me all the hostid that falls into both event1 and event2. How do I find out the hostid which is ONLY in event1 or event2?

Thanks,

Tags (1)
0 Karma
1 Solution

aholzer
Motivator

I believe the "keeporphans" flag is what you are looking for:

keeporphans=<bool>
Description: Specify whether the transaction command should output the results that are not part of any transactions. The results that are passed through as "orphans" are distinguished from transaction events with a _txn_orphan field, which has a value of 1 for orphan results. Defaults to false.

Got this from the Splunk docs on transactions.

Hope this helps.

View solution in original post

0 Karma

aholzer
Motivator

I believe the "keeporphans" flag is what you are looking for:

keeporphans=<bool>
Description: Specify whether the transaction command should output the results that are not part of any transactions. The results that are passed through as "orphans" are distinguished from transaction events with a _txn_orphan field, which has a value of 1 for orphan results. Defaults to false.

Got this from the Splunk docs on transactions.

Hope this helps.

0 Karma

jgcsco
Path Finder

the keepophans will include hostid that is in both event1 and event2, as well either event1 or event2. However, I am interested in ONLY in event1 or event2.

0 Karma

aholzer
Motivator

@jgsco

Use | search _txn_orphan=1 after the transaction. That should return only the "orphans".

0 Karma

jgcsco
Path Finder

Thanks! That worked.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...