cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
p4085f9
Engager
Member since: ‎04-22-2022
‎05-05-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎04-22-2022
Activity Feed
View All

Re: Missing transaction caused by multisearch / su...

by in Splunk Search
‎05-05-2022 11:08 AM
‎05-05-2022 11:08 AM
Dear PickleRick, Thank you very much for your answer. Best regards, Robert ... View more

Missing transaction caused by multisearch / subsea...

by in Splunk Search
‎04-22-2022 11:23 AM
‎04-22-2022 11:23 AM
Hi all I have a riddle. Query A and query B does not collect the same events and I don’t understand why. Query A) results 2 events as transaction   | multisearch [search (11111111 OR 22222222) host=x index=y level=z (logger=a "text_a") ] [search (11111111 OR 22222222) host=x index=y level=z (logger=b message="text_b") ] | rex field=_raw "<sg: ID>(?<ID>.*?)<" | transaction ID keepevicted=false startswith="text_a" endswith=message="text_b"     Query B) results 1 event as transaction   | multisearch [search (11111111 OR 22222222) host=x index=y level=z (logger=a "text_a") ] [search host=x index=y level=z (logger=b message="text_b") ] | rex field=_raw "<sg: ID>(?<ID>.*?)<" | transaction ID keepevicted=false startswith="text_a" endswith=message="text_b"     11111111 and 22222222 is used as an ID to test the query and to confirm the correctness. But if I remove these IDs from second search like in query B) than I get only one result, the other is missing.   I thought at the first time, it is because of the enormous amount of records. I used a time filter to reduce the records, at the end with 19.351 events. Unfortunately it didn’t help. Of course, if I replace the multisearch to OR, it works. Query C) If I move the ID filter in second search, booth events are there.   | multisearch [search host=x index=y level=z (logger=a "text_a") ] [search (11111111 OR 22222222) host=x index=y level=z (logger=b message="text_b") ] | rex field=_raw "<sg: ID>(?<ID>.*?)<" | transaction ID keepevicted=false startswith="text_a" endswith=message="text_b"     Query D) Just to be sure, if I remove the "text_a" and message="text_b" from search the event is still missing.   | multisearch [search (11111111 OR 22222222) host=x index=y level=z logger=a ] [search host=x index=y level=z logger=b ] | rex field=_raw "<sg:ID>(?<ID>.*?)<" | transaction ID keepevicted=false startswith="text_a" endswith=message="text_b"     Maybe someone of you already had similar issues in transaction with multi-search and know, what could cause this problem. Thank you for your answers. Best regards, Robert ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-05-2022 06:02 PM
Karma given to
View All