![]() Is it possible to post a sample event set that's spanned over days? What if you hard code few IDs in the main search and see if transaction is able to catch it? Hope this leads you the right way. Since you are tracing one transaction spanning over multiple days, i doubt if the event limits is the cause. Try adding maxevents=-1 and run the same search and see if it picks the multiple day spanning events. this opens a new transaction (connectedtrue) or adds the event to the transaction (connectedfalse). The OR will naturally work, but not when we have both conditions, as the first to reach the. which of the below one is correct indexweb 'web-thread-' transaction txid startswith(param121fdfd OR param2asfdads3232 OR ainexe1 OR asdf1) endswith'web time:' maxspan10m. Once we hit the startswith condition, we emit the transaction. I want any event that contains either of the strings. If the value is negative, maxspan is disabled and there is no limit. If With Multiple Conditions in Splunk Eval. Im using the transaction with startswith to match multiple strings. The events in the transaction must span less than integer specified for maxspan. In your case, i do not think maxspan is the issueÄescription: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. My thought is that the problem is with maximum time span Splunk looks for completed event. e "In Progress" -> "Stuck" therefore showing such tasks as Stuck whereas they've been Completed. In presence of these conditions it keeps showing the first part i. I can see Splunk bundles them in Transactions "In Progress" -> "Stuck" And Then "Stuck" -> "Completed" if startswith and endswith conditions are removed. Pretty straight forward and works fine but the problem starts when there are transactions that span over few days. The first contains all events in the transaction while the second, the one Im looking for, contains the events specified in the definition options. ![]() When I run it, though, the output produces two results per transaction. I am passing a field and using startswith and endswith definition options. Index="orchestrator_tasks" | transaction ID startswith="In Progress" endswith="Completed" | where Status != "Complete" Hello I am working with the transaction command. To set tokens, I have several 'condition match' in a search but, if more than one condition is matched, only the first one seems to work. So a transaction is a task ID starting with "In Progress" and ending with "Completed" while may remain in "Stuck" State for any period of time. It can be in "Stuck" state for any period of time (more than 4 days in some cases). Every tasks starts with "In Progress" and ends with "Completed". We have data coming from database showing the status of Orchestrator tasks.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |