|
Good Day, New to splunk, using version 4.2.3 Imported some zipped log files into splunk. I can search them just fine, but the transaction command doesn't work as expected. Using the transaction command to find the duration of connections. The search being run is - index=myIndex | search * | transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up" The results however are not accurate, I have results where the myId pulled for startswith is different from the myId field pulled for endswith. However, if I import the data into splunk's default index the above search works as expected. How can I fix this without re-importing all the logs into the default index? |
Refine your search:
- Apps & Questions
- Apps
- Questions
- Users
- Tags
Markdown Basics
- *italic* or _italic_
- **bold** or __bold__
- link:[text](http://url.com/ "Title")
- image?
- numbered list: 1. Foo 2. Bar
- to add a line break simply add two spaces to where you would like the new line to be.
- basic HTML tags are also supported
Tags:
Asked: 09 Sep '11, 08:26
Seen: 408 times
Last updated: 12 Sep '11, 23:52
Can you post an example of the data set?
also you don't need the |search *, index=myIndex| transaction myId maxspan=30m startswith="MsgNo=0" endswith="Hang up" should produce the same result with less overhead.