Splunk Search

how to show source after transactions (around the starting event of a transaction)

myli12
Path Finder

I did the following search to identify those "A" events that are not paired/ends with "B" events.

"A" OR "B" | transaction startswith="A" endswith="B" keepevicted=true | search closed_txn=0 "A"

When I clicked on "show source" and got the following error messages:

"Could not find target event on the remote server, unable to form the proper distributed search"

I noticed that I always get this same error message when "show source" after using the transaction function. I like to view/show the source around the starting event in a transaction, is there a workaround?

Tags (3)
0 Karma
1 Solution

myli12
Path Finder

I have a workaround solution. Assume A won't happen twice within 1s span. I use the transaction & subsearch as follows:

"A" [search "A" OR "B" | transaction startswith="A" endswith="B" keepevicted=true | search closed_txn=0 "A" | eval earliest=_time | eval latest=relative_time(_time, "+1s") | fields host, earliest, latest | format "(" "(" "" ")" "OR" ")"]

Basically I used subsearch to convert transaction results into search results, then I can show source.

Any more elegant solutions are welcome.

View solution in original post

myli12
Path Finder

I have a workaround solution. Assume A won't happen twice within 1s span. I use the transaction & subsearch as follows:

"A" [search "A" OR "B" | transaction startswith="A" endswith="B" keepevicted=true | search closed_txn=0 "A" | eval earliest=_time | eval latest=relative_time(_time, "+1s") | fields host, earliest, latest | format "(" "(" "" ")" "OR" ")"]

Basically I used subsearch to convert transaction results into search results, then I can show source.

Any more elegant solutions are welcome.

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...