Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

matching multiple constraints in a transaction

cphair
Builder
‎03-08-2013 10:33 AM

I need to find hosts on which Event B occurred within three minutes of Event A. I'm trying to use transaction, but I seem to be running into the problem that a transaction is marked closed if either maxspan or startswith is satisfied, and I want all three of these constraints to be satisfied:



... | transaction host maxspan=3m startswith(EventCode=A) endswith(EventCode=B)

Event A is far more common than Event B, so I end up with a lot of transactions consisting only of Event A, which is annoying. unifyends=t doesn't work; A and B have nothing in common with each other, so I just end up with Event A-only transactions. I could try to filter by the EventCode field after the transactions are created, but that seems silly; transaction should be able to do this implicitly. Can I do something in the transaction command to make it honor all three constraints? I am running Splunk 4.3.4.

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-09-2013 08:39 AM

do your transactions with a larger time range, then apply conditions to find the transaction matching your requirements.

... | transaction host maxspan=6m startswith(EventCode=A) endswith(EventCode=B) | search EventCode=B AND duration<=180

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-09-2013 08:39 AM

do your transactions with a larger time range, then apply conditions to find the transaction matching your requirements.

... | transaction host maxspan=6m startswith(EventCode=A) endswith(EventCode=B) | search EventCode=B AND duration<=180

0 Karma
Reply
Solved! Jump to solution

cphair
Builder
‎05-03-2013 12:11 PM

I'll do this, but I still think transaction should be able to do this itself. It seems inefficient to have to pull back all the solo Event As and then discard most of them.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...