Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I report on incomplete transactions?

hexx
Splunk Employee
Splunk Employee
‎06-08-2011 05:08 AM

I am using the following search to report on successful transactions in our password checkin/checkout system :

(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset"

However, I would like to build a report that shows all incomplete transactions. How can I achieve this?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-08-2011 05:09 AM

The transaction command creates an internal field named "closed_txn" to indicate if a given transaction is complete or not.

From the Search Reference Manual entry for the Transaction command :

keepevicted=<bool>

Description:

Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startswith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.

Transactions that fulfill both the "startswith" and "endswith" condition are marked as successful by having the field "closed_txn" set to 1, where transactions that fail to fulfill one or both of these conditions are marked as unsuccessful by having the field "closed_txn" set to 0.

In our case, to report on incomplete transactions we need to :

  • Keep all transactions, both closed (those that match all the transaction restrictions) and open (those that fail to match all the transaction restrictions), by specifying "keepevicted=true".
  • Use the "closed_txn" Boolean field generated by the transaction command to differentiate the invalid transactions.

Our new search should append "| search closed_txn=0" to the base search in order to only report on the unsuccessful transactions

(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | search closed_txn=0

View solution in original post

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎04-12-2012 05:16 PM

FYI, if you also want to calculate duration of unclosed transactions, this is possible with an eval.


mysearch | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | eval duration=if(isnull(duration),now()-_time,duration) | table _time duration _raw

Beware, the function now() may not be compatible with real time.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎12-21-2015 12:41 PM

using a stats command may be less expensive than a transaction :

mysearch ""checkout"  OR "reset" "| stats first(_raw) AS recent_event first(_time) AS _time by  Hostname, LBG_User | where revent_event="*checkout*"  | eval duration=if(isnull(duration),now()-_time,duration) | table _time duration Hostname LBG_User  recent_event
0 Karma
Reply
Solved! Jump to solution

mmacvicar_splun
Splunk Employee
Splunk Employee
‎03-02-2017 09:59 AM

Minor correction, duration=0 for events that haven't completed so "eval duration=if(duration==0,now()-_time,duration)" or:
mysearch | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | eval duration=if(duration==0,now()-_time,duration) | table _time duration _raw

0 Karma
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-08-2011 05:09 AM

The transaction command creates an internal field named "closed_txn" to indicate if a given transaction is complete or not.

From the Search Reference Manual entry for the Transaction command :

keepevicted=<bool>

Description:

Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startswith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.

Transactions that fulfill both the "startswith" and "endswith" condition are marked as successful by having the field "closed_txn" set to 1, where transactions that fail to fulfill one or both of these conditions are marked as unsuccessful by having the field "closed_txn" set to 0.

In our case, to report on incomplete transactions we need to :

  • Keep all transactions, both closed (those that match all the transaction restrictions) and open (those that fail to match all the transaction restrictions), by specifying "keepevicted=true".
  • Use the "closed_txn" Boolean field generated by the transaction command to differentiate the invalid transactions.

Our new search should append "| search closed_txn=0" to the base search in order to only report on the unsuccessful transactions

(index=aix USER_Login) OR (index=pword) | transaction Hostname, LBG_User startswith="checkout" endswith="reset" keepevicted=true | search closed_txn=0

Reply
Solved! Jump to solution

splunkering
Explorer
‎07-31-2018 07:55 AM

Hi @hexx
Thanks for your solution. I have the same requirement but this solution didn't work for me.
When I add keepevicted=true it shows me 2 events per transaction; transaction started event (with closed_txn=0) and transaction ended event (with closed_txn=1) and when I add | search closed_txn=0 it shows me transaction started event for all transactions - including those that completed successfully. But I want only transactions that do not have a completed event

... | transaction build_number,type startswith="started" endswith="completed" keepevicted=true | search closed_txn = 0

0 Karma
Reply
Solved! Jump to solution

splunkering
Explorer
‎07-31-2018 08:03 AM

However, this works but I am not sure if its the best approach?
... | stats count by build_number | search count = 1

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...