![]() I'd need some help in finding out the rationale behind this behaviour. | transam tnsid altid startswith="init" endswith="term" -> will still return incorrect results. Here's its output: 08:00:01 - init - tnsid=AAA | transam tnsid altid startswith="init" -> will break everything | transam tnsid altid endswith="term" -> will provide correct results, keepevicted will correctly control the output of T4, but will leave closed_txn=0 for all of the results hi, i have a search to get duration of the job, let's say startswithstarted endswithsuccess But in some case the job may fail, now it should be enddswithFAILURE now i want to write single search to get SUCCESS OR FAILURE JOB and their duration, starttime, endtime and status Ex: transaction JOB. If I wish to code some logic into the command: The latest is an "open" transaction which should or should not be returned depending on the keepevicted setting, but having Splunk no knowledge about what's an evicted transaction the parameter has no effect. your search that extracts the records you want for a start or end of a 'transaction', with time ObjectID source and host wit. In this case, stats gets you your answer better, faster, easier. I can achieve the expected result through the simplest transam command: | file /tmp/tnsexp.log | extract | sort - _time | transam tnsid altid This is a great demonstration case for the general rule - NEVER use transaction when something else will do. Those events are "chained" by an event having both fields in it. Sometimes I can get around with this by specifying startswith (aaa yyyy bbb ccc OR aaa zzzz bbb ccc) when. In short, if I specify something like startswithaaa bbb ccc, then it seems to match strings of the form aaaccc. Transactions are made by two types of events, those with tnsid "open" the transaction and those with altid "terminate" it. When I use wildcards in the startswith or endswith for transaction, I get unexpected behavior. Here's my case: it's a sample file, manually put together to explore the topic. In the following case using endswith alone does a good job, but using startswith or both of them will provide incorrect results. I can't figure out how to add this logic.Is there any known issue on the startswith clause, when using multiple fields to identify complex transactions? In other words, if more than x "down" messages are seen for the same neighbor within a period of time, alert. I want to add one more condition to the alert if an interface is "flapping". Here's the search string: index=network NBRCHANGE | transaction host eigrp_interface eigrp_neighbor startswith=eigrp_state="down" endswith=eigrp_state="up" keepevicted=true | eval eigrp_alert=if((closed_txn=0 AND eigrp_state="down") OR (closed_txn=1 AND duration>30),1,0) | search eigrp_alert=1 IF the transaction is closed and the duration (i.e, the downtime) was greater than 30 seconds -> Alert Although you're thinking of the the transaction as being aggregated as time moves forward, the command experiences time in the other direction, we start from the more recent. IF the transaction isn't closed (i.e., no "up" message received) and the state is "down" -> Alert Reposting as an answer: Yes, this is an idiosyncrasy in the implementation of the transaction command in the search language. I'm using the transaction command to correlate the "down" and "up" messages for a given host, interface, and neighbor. ![]() I've configured a field extraction that defines the fields: ![]() I'm configuring an alert for changes in EIGRP neighbor adjacency.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |