![]() ![]() And the returned transaction would be a list of these events. Anytime a person reaches a point, an event is logged that he reached that point. And how that person reached point Y, always beginning at X. I hope this helps you to get closer to a solution.īasically, we need to determine a path from point X to point Y. But I think that some of these other issues may be inhibiting your progress. | then go backwards through the transaction's events to the latest event that is "D"Īs you can see, I haven't figured out the last part yet. I think what would work best is yoursearchhere You may want to look at the Search Job Inspector for any warnings that would indicate that Splunk was not able to form the transactions completely. Test your searches with the smallest reasonable time range to avoid this problem. When Splunk runs short of memory, it may "evict" transactions that it otherwise would have kept. ![]() If you have multiple transactions with an id of "35", then one transaction must end before another begins.įinally, the transaction command is very memory intensive. You might try this: yoursearchhereīut this example causes Splunk to build a new transaction each time it sees an instance of "D" - and what you want is for Splunk to start with the earliest instance of "A" and end with the latest instance of "D", with no intervening "A"s.Īlso, Splunk cannot deal with interleaved transactions unless there is a unique identifier for each transaction. When you think about this, it may change your approach. So Splunk looks first for the end of the transaction and then works backwards to the beginning. Splunk transactions are built in reverse order, and the transaction command actually requires that the events are ordered by descending time. It should return something like this as a transaction: We need to specify sequence order for specific events with many unknown events that can be intermixed as long as the sequence is satisfied. The subset of the above PROBLEM 1 example should return for A*B*E: And thus it could be possible that we are looking for a sequence such as A*B*G*M*V*Z. ![]() In this example we are using only 5 event types, but we could have dozens of event types. There could be 0 to many Cs and Ds in the mix but as long as A*B*E is satisfied it should return all the transactions that satisfy this requirement. NOW, lets say we want to have a transaction that startswith A, followed by 1 or more Bs, and ending in E. Maybe piping a transaction to another transaction might not be the solution either?: It leaves whatever is there created from the superset. We would rather have the transactions trimmed at D as follows, but Splunk is not doing this. This should only give us a subset of the above, that contain D, but not necessarity endswith | transaction startswith="A" | transaction startswith="A" endswith="D" Now I want to find transactions that start with A, and end in D, but since A is the marker for the beginning of a transaction, we do not want an A grouped into a wrong transaction like above (A starts a new transaction), so we do this. SO we decide to find transactions that ALWAYS start with A. To be correct, the first (AB) should be a discarded transaction, and CD should be returned, then a new transaction starts again at A. | transaction startswith="A" endswith="D"īecause it gives us wrong data, with A sometimes missed inside the Splunk recursive search:įor example, if the event sequence was (AB) CDA., Splunk returns the transaction ABCD from the outer sequence (AB)(CD) as well as the inner sequence, which is incorrect. We can't do the simple transaction below. ![]() Let's say we have several event types: A, B, C, D, E.Įach event posted is in a _time ordered sequence which we need to maintain.Īnd we want transactions that begin with A and end with D. We have several problems that we weren't able to resolve with Splunk's SPL. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |