I'd like to understand how the keepevicted transaction flags is related to timespan
It is pretty straightforward to understand how keepevicted affects when it is used with **startswith** (It includes all other events that are not filtered with **startswith**)
On the other hand, I've been using different timespans over a day, and using keepevicted=true, but I got different number of total aggregated records.
For given records
uriPart1/UserGuid1/uriPart2
uriPart1/UserGuid2/uriPart2
uriPart1/UserGuid3/uriPart2
where each UserGuidX is a GUID and then having a Splunk query such as
/uriPart1/*/uriPart2
| rex field=cs_uri_stem "uriPart1/(?.*)/uriPart2"
| sort 0 _time
| transaction UserId maxspan=1m maxpause=1m keepevicted=true
| stats count by linecount | sort by linecount
Let's say for example, with 1m, I got.
1m run
linecount count aggregated
1 1000 1000
2 30 60
--------- ---------
totals 1030 1060
and for a 30m run I got
30m run
linecount count aggregated
1 800 800
2 40 80
3 10 30
4 2 8
5 1 5
--------- ---------
totals 853 923
I understand the total events of (1m, 1030) vs (10m, 853), but what I don't understand is the total aggregate of 1060 vs 943, I'm sure there are less buckets of data with a higher timespan, but I'd expect same total amount of data as the run with 1m.
Then, my original question of, how does keepevicted=true pulls out specific transactions under timespan criteria and where does this transactions go, why it cannot be put in another bucket?
Thanks!
↧