×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
SplunkWorthy
Observer
Member since: Friday
yesterday
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-22-2026
View All

Re: Trasaction command displaying endswith field b...

by in Splunk Search
Friday
Friday
These are the results when I use a sort before the transaction command:   sort -status    = no results sort -message   = no results sort -time  = sorted based on time but no change to logs that are used in the results. Still complete then fail. ... View more

Re: Trasaction command displaying endswith field b...

by in Splunk Search
Friday
Friday
I am unable to provide a copy of the logs, but I can create an example myself:   _time                                 Name       ID          status     message         start time                         endtime 2026-05-22  00:00:30:900                    Log1            123                     4                      Complete            2026-05-22T04:00:30.900Z                  2026-05-22T04:00:40.03Z                                                                                                                                               5                    Failed         2026-05-22T08:02:00.888Z               2026-05-22T08:02:10.933Z In this example, the fail is showing with the completion that happened prior to the failure, when instead, I want it to show the completion after. This example shows the results after they have been tabled. ... View more

Trasaction command displaying endswith field befor...

by in Splunk Search
Friday
Friday
I am attempting to use the transaction field to identify when a  service fails and then the next time it runs successfully after the fail. I am getting results that are close to what I want, but it is showing the results out of order. I am getting the completed status before the faulted status. Here is the command I am using below:   transaction ID startswith="Faulted" endswith="Completed"   My goal is to group the logs by ID where it shows me the first faulted log followed by the completed log but its giving me the results in reverse order. I have already tried to sort by _time and the status field before the transaction command but that does not help. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
yesterday