Splunk transactions are built in reverse order, and the transaction command actually requires that the events are ordered by descending time. So Splunk looks first for the end of the transaction and then works backwards to the beginning. When you think about this, it may change your approach. You might try this:
yoursearchhere
| transaction id endswith="D"
| where somefield(0)=="A"
But this example causes Splunk to build a new transaction each time it sees an instance of "D" - and what you want is for Splunk to start with the earliest instance of "A" and end with the latest instance of "D", with no intervening "A"s.
Also, Splunk cannot deal with interleaved transactions unless there is a unique identifier for each transaction. If you have multiple transactions with an id of "35", then one transaction must end before another begins.
Finally, the transaction command is very memory intensive. When Splunk runs short of memory, it may "evict" transactions that it otherwise would have kept. Test your searches with the smallest reasonable time range to avoid this problem. You may want to look at the Search Job Inspector for any warnings that would indicate that Splunk was not able to form the transactions completely.
I think what would work best is
yoursearchhere
| transaction id startswith="A"
| then go backwards through the transaction's events to the latest event that is "D"
As you can see, I haven't figured out the last part yet. But I think that some of these other issues may be inhibiting your progress. I hope this helps you to get closer to a solution.
... View more
