![]() I'd need some help in finding out the rationale behind this behaviour. Apparently the Transaction command works with. In my data there is RUN,STOP,RUN,RUN,RUN,STOP,RUN,STOP,STOP,RUN,STOP. Basically, a single event can be mapped out to multiple logged. | transam tnsid altid startswith="init" endswith="term" -> will still return incorrect results. Hi does anyone know is there is a way for transaction starts with ends with take the middle result Example, i have transaction DESCRIPTION startswith VALUE RUN endswith VALUESTOP. Transactions can be generated from multiple data sources and multiple separate log entries. Here's its output: 08:00:01 - init - tnsid=AAA Basically, a single event can be mapped out to multiple logged events. startswith and endswith it gives all transactions to be single events). Transactions can be generated from multiple data sources and multiple separate log entries. I am trying to extract sequence of events from logs by using transaction command. They don’t necessarily occur at the same time. | transam tnsid altid startswith="init" -> will break everything A transaction is a group of related events. | transam tnsid altid endswith="term" -> will provide correct results, keepevicted will correctly control the output of T4, but will leave closed_txn=0 for all of the results If I wish to code some logic into the command: The latest is an "open" transaction which should or should not be returned depending on the keepevicted setting, but having Splunk no knowledge about what's an evicted transaction the parameter has no effect. I can achieve the expected result through the simplest transam command: | file /tmp/tnsexp.log | extract | sort - _time | transam tnsid altid ![]() Those events are "chained" by an event having both fields in it. Transactions are made by two types of events, those with tnsid "open" the transaction and those with altid "terminate" it. ![]() Here's my case: it's a sample file, manually put together to explore the topic. In the following case using endswith alone does a good job, but using startswith or both of them will provide incorrect results. Is there any known issue on the startswith clause, when using multiple fields to identify complex transactions?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |