Solved: Re: _txn_orphan field missing from transaction com...

eugenek · ‎05-09-2019

Just upgraded SH from 7.0.2 to 7.2.5.1 (indexers still in progress) and some reports which rely on _txn_orphan broke. If I understand correctly, this should be returning the _txn_orphan field.
| makeresults | eval foo="start;stop;start" | eval start_stop=split(foo,";") | mvexpand start_stop |fields - foo | transaction _time startswith="start_stop=start" endswith="start_stop=stop" keeporphans=true unifyends=true

eugenek · ‎05-16-2019

Worked with support and while the | makeresults-based query doesn't work on 7.0.2 either they confirmed that the behavior of that field changed between the versions.

More specifically,

There was some changes in SPL-159182 for memory management back in 7.1.4.
The _txn_orphan still exists, but only if the events aren't part of a transaction (even an incomplete one).

View solution in original post

eugenek · ‎05-16-2019

Worked with support and while the | makeresults-based query doesn't work on 7.0.2 either they confirmed that the behavior of that field changed between the versions.

More specifically,

There was some changes in SPL-159182 for memory management back in 7.1.4.
The _txn_orphan still exists, but only if the events aren't part of a transaction (even an incomplete one).

sloshburch · ‎06-17-2019

Thanks for adding the explanation from support!

_txn_orphan field missing from transaction command after upgrade

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

_txn_orphan field missing from transaction command after upgrade

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!