Re: how to make transaction to consider the data f...

anooshac · ‎08-06-2021

Hi all, i have a query for transaction,

source="abc_data1_*" index="testing" sourcetype="_json"
| transaction startswith=(STATUS="FAIL") endswith=(STATUS="SUCCESS")

The events in the results are considered from most recent to oldest. But i want this transaction to consider the the older data first to the processing. I want the data to be sorted from the beginning and then apply the transaction. "Reverse" doesn't work with this.Anyone knows how to do this?

sharynh · ‎08-06-2021

Have you tried Tail ?

Customer Success Manager | Public Sector
Splunker since July 2021 - still a newbie!

anooshac · ‎08-08-2021

No. How exactly should i use that?

ITWhisperer · ‎08-06-2021

| sort 0 _time

anooshac · ‎08-06-2021

Hi sir, I am getting the events like this. only one event is older and the rest is new data.

As you can see only first event is older.

ITWhisperer · ‎08-06-2021

What is your full search?

anooshac · ‎08-08-2021

source="abc_data1_*" index="testing" sourcetype="_json"
| transaction startswith=(STATUS="FAIL") endswith=(STATUS="SUCCESS")

This is only my full search.

ITWhisperer · ‎08-09-2021

8/4/21 is not older than 7/30/21

Can you share some of your raw events as it doesn't look like your transaction command is working.

how to make transaction to consider the data from the beginning(i.e oldest data)

transaction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life