Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About ggiovan
ggiovan
Engager
Member since:
04-25-2017
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 04-25-2017 |
Activity Feed
- Karma Re: How to edit my search to use transaction command to exclude values? for somesoni2. 06-05-2020 12:48 AM
- Posted Re: How to edit my search to use transaction command to exclude values? on Splunk Search. 05-03-2017 07:57 AM
- Posted Re: How to edit my search to use transaction command to exclude values? on Splunk Search. 04-28-2017 05:03 AM
- Posted Re: How to edit my search to use transaction command to exclude values? on Splunk Search. 04-28-2017 04:56 AM
- Posted Re: How to edit my search to use transaction command to exclude values? on Splunk Search. 04-26-2017 02:44 AM
- Posted Re: How to edit my search to use transaction command to exclude values? on Splunk Search. 04-26-2017 02:43 AM
- Posted Re: How to edit my search to use transaction command to exclude values? on Splunk Search. 04-26-2017 02:43 AM
- Posted Re: How to edit my search to use transaction command to exclude values? on Splunk Search. 04-26-2017 02:42 AM
- Posted Re: How to edit my search to use transaction command to exclude values? on Splunk Search. 04-26-2017 02:40 AM
- Posted Re: How to edit my search to use transaction command to exclude values? on Splunk Search. 04-26-2017 02:36 AM
- Posted How to edit my search to use transaction command to exclude values? on Splunk Search. 04-25-2017 08:38 AM
- Tagged How to edit my search to use transaction command to exclude values? on Splunk Search. 04-25-2017 08:38 AM
- Tagged How to edit my search to use transaction command to exclude values? on Splunk Search. 04-25-2017 08:38 AM
- Tagged How to edit my search to use transaction command to exclude values? on Splunk Search. 04-25-2017 08:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
05-03-2017
07:57 AM
Hi, I need to exclude all the events that start with "LOGON" and end with "LOGOFF BY CLEANUP" and that they are exactly 2 in 2 minutes.
That's why I need "eventcount = 2".
Thank you very much
... View more
04-28-2017
05:03 AM
The "eventcount is lost" means that if I write "...| where _txn_orphan=1 AND eventcount=2" it doesn't work, return 0 events. If I show the eventcount with "...| table eventcount " with "keeporphans=t" the output is null in every record.
Thanks
... View more
04-28-2017
04:56 AM
Hi, I have run the second suggestion with a change, now it's almost ok!
index=oracle
(INSTANCE_NAME="01" OR INSTANCE_NAME="02" OR INSTANCE_NAME="03")
| transaction SESSIONID maxspan=2m startswith=ACT_NAME="LOGON") endswith=ACT_NAME="LOGOFF BY CLEANUP" keeporphans=t
| where _txn_orphan=1
But now I can not use the "eventcount = 2" when I use the "keeporphans = t", the value "eventcount" is lost. Can you help me?
Thank you very much
... View more
04-26-2017
02:44 AM
Have you other suggestions? Thank you!
... View more
04-26-2017
02:43 AM
Hello, I run this:
index=oracle (INSTANCE_NAME="01" OR INSTANCE_NAME="02" OR INSTANCE_NAME="03")
NOT [search index=oracle (INSTANCE_NAME="01" OR INSTANCE_NAME="02" OR INSTANCE_NAME="03")
| transaction SESSIONID maxspan=2m startswith=(ACT_NAME="LOGON") endswith=(ACT_NAME="LOGOFF BY CLEANUP") | where eventcount = 2 | return 1000 $SESSIONID]
Returns 8,240 events. Some values of second search (which must be excluded) are not excluded.
Please have other suggestions?
Thank you all.
... View more
04-26-2017
02:43 AM
Have you other suggestions? Thank you!
... View more
04-26-2017
02:40 AM
Hello, I run this:
index=oracle (INSTANCE_NAME="01" OR INSTANCE_NAME="02" OR INSTANCE_NAME="03")
NOT [search index=oracle (INSTANCE_NAME="01" OR INSTANCE_NAME="02" OR INSTANCE_NAME="03")
| transaction SESSIONID maxspan=2m startswith=(ACT_NAME="LOGON") endswith=(ACT_NAME="LOGOFF BY CLEANUP") | where eventcount = 2 | table SESSIONID]
Returns 8,242 events. Some values of second search (which must be excluded) are not excluded.
The second suggestion return 0 events.
... View more
04-26-2017
02:36 AM
Hello, I run this:
index=oracle (INSTANCE_NAME="01" OR INSTANCE_NAME="02" OR INSTANCE_NAME="03")
NOT [search index=oracle (INSTANCE_NAME="01" OR INSTANCE_NAME="02" OR INSTANCE_NAME="03")
| transaction SESSIONID maxspan=2m startswith=(ACT_NAME="LOGON") endswith=(ACT_NAME="LOGOFF BY CLEANUP") | where eventcount = 2 | return 1000 $SESSIONID]
Returns 8,240 events. Some values of second search (which must be excluded) are not excluded.
... View more
04-25-2017
08:38 AM
Hi, I have the following search that returns 10,552 events over a given period of time:
index=oracle (INSTANCE_NAME="01" OR INSTANCE_NAME="02" OR INSTANCE_NAME="03")
Then I have second search using the "transaction" command that returns 664 events, in each of which there are two related events I want to exclude from the first search through SESSIONID:
index=oracle (INSTANCE_NAME="01" OR INSTANCE_NAME="02" OR INSTANCE_NAME="03")
| transaction SESSIONID maxspan=2m startswith=(ACT_NAME="LOGON") endswith=(ACT_NAME="LOGOFF BY CLEANUP")
| where eventcount = 2
Can you help me to find a solution for this problem with only one search to return 9224 ( =10,552 - (664*2) ) events?
I have already used "search NOT [transaction ..]", "keepevicted = true" with "evicted = 1", append [ search..| transaction SESSIONID]...but don't work
I can not use a "inputlookup"
Thanks so much
... View more
