topic Re: Transaction - max span is 1 calendar day in Splunk Search

Transaction - max span is 1 calendar day

alisaf — Sun, 11 Aug 2019 12:54:16 GMT

Hi all, can I define somehow that I will get the only a transaction from the same calendar day?
I know that I can use maxspan but, if I have two transactions:
08-11-19 15:51
08-12-19 00:02
I would like that it will not show me this transaction (and maxspan=1d/24m not helping me with that).

**Example **
so this is an example to my logs:
1) 1/1/19 2:58 ON
2) 1/1/19 11:31 OFF
3) 1/1/19 13:21 ON
4) 1/1/19 17:03 OFF
5) 1/1/19 19:53 ON
6) 1/2/19 5:17 OFF

I wish to know for how long some users have been on state ON and on state OFF (going from ON to OFF is on and from OFF to ON is off) on the same day.
here I would like to get:
On 30780s (1->2)
Off 6660s (2->3)
On 13320s (3->4)
Off 10181s (4->5)

And I don't want that to show the transaction from 5 to 6 since it is not on the same date.
Thank you!

Re: Transaction - max span is 1 calendar day

richgalloway — Sun, 11 Aug 2019 13:31:00 GMT

If you limit your search to a single day using earliest=@d or earliest=-1d latest=@d then the transaction will only have events from that day.

You might try bucketing events before the transaction. ... | bucket span=1d _time | transaction maxspan=1d ....

Re: Transaction - max span is 1 calendar day

woodcock — Sun, 11 Aug 2019 20:30:01 GMT

DO NOT USE the transaction command. Where is your SPL? Show us your raw events and a mockup of your desired final output.

Re: Transaction - max span is 1 calendar day

alisaf — Mon, 12 Aug 2019 06:27:08 GMT

so this is an example to my logs:
1) 1/1/19 2:58 ON
2) 1/1/19 11:31 OFF
3) 1/1/19 13:21 ON
4) 1/1/19 17:03 OFF
5) 1/1/19 19:53 ON
6) 1/2/19 5:17 OFF

And I don't want that to show the transaction from 5 to 6 since it is not in the same date.
Thank you!

Re: Transaction - max span is 1 calendar day

woodcock — Mon, 12 Aug 2019 15:52:28 GMT

DO NOT use transaction; do it like this:

| makeresults 
|  eval raw="time=1/1/19T2:58,state=ON time=1/1/19T11:31,state=OFF time=1/1/19T13:21,state=ON time=1/1/19T17:03,state=OFF time=1/1/19T19:53,state=ON time=1/2/19T5:17,state=OFF"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| rename time AS _time
| eval _time = strptime(_time, "%m/%d/%yT%H:%M")
| sort 0 - _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval days = _time
| bin days span=1d
| streamstats count(eval(state="OFF")) AS transactionID
| stats values(*) AS * dc(days) AS day_count BY transactionID
| search day_count == 1