topic Re: Help with Transaction in Splunk Search

Help with Transaction

pbarbuto — Mon, 01 Jul 2019 22:59:59 GMT

I'm trying to to list out running sessions for a service. I am using timechart to list when its active and then simply looking for the duration of the running session.

<base search>
| timechart span=15m count
| eval running=if(count = "0","no","yes")

This returns

_time                count running
2019-07-01 07:00:00 0   no
2019-07-01 07:15:00 0   no
2019-07-01 07:30:00 16  yes
2019-07-01 07:45:00 19  yes
2019-07-01 08:00:00 5   yes
2019-07-01 08:15:00 3   yes
2019-07-01 08:30:00 8   yes
2019-07-01 08:45:00 1   yes
2019-07-01 09:00:00 0   no
2019-07-01 09:15:00 1   yes
2019-07-01 09:30:00 3   yes
2019-07-01 09:45:00 3   yes
2019-07-01 10:00:00 10  yes
2019-07-01 10:15:00 1   yes
2019-07-01 10:30:00 1   yes
2019-07-01 10:45:00 0   no
2019-07-01 11:00:00 0   no

I can see that the service was running from 7:30-8:45 (Duration of 1:15) and again at 9:15-10:30 (Duration of 0:45).

Im trying to get that running time by using Transaction like this:

<base search>
| timechart span=15m count
| eval running=if(count = "0","no","yes")
| transaction running startswith="yes" endswith="no"

But that isn't working. Any suggestions?

Re: Help with Transaction

memarshall63 — Tue, 02 Jul 2019 00:03:40 GMT

The startswith and endswith fields are:

"Description: A search or eval expression which, if satisfied by an event, marks the start/end of a transaction."

Try this:

| transaction  startswith="running=yes" endswith="running=no"

There's probably a cleaner way to group the events before you get to the timechart, as well, but we'd have to look at the raw events to see for sure.

Hope that helps.

Re: Help with Transaction

pbarbuto — Tue, 02 Jul 2019 02:51:36 GMT

Ok, fixing the syntax definitely gets a little closer. But it seems to be comparing each yes with each no. I just need to find the first yes, then the first no after the first yes, and get that duration. then find the next yes after that and the next no after that and get that duration as well. And so on. I hope that makes sense.

I just want to know how long the service was active and running.

Re: Help with Transaction

memarshall63 — Tue, 02 Jul 2019 14:26:27 GMT

The transaction command usually works with some sort of "session id" (or maybe in your case "serviceId") or common field that crosses all the events in a transaction. My command above left it out because I didn't see one to use. But, I can see maybe why that doesn't work.

You might try inserting the transaction command before the timechart. Letting it work on the raw data. You'll be able to see in your data which events it's grouping. Transaction command automatically inserts a "duration" field when it groups things, so you'll have that field, and if you're working with the raw data you won't be a slave to the 15min grouping that timechart is giving you.

Transaction tends to be a heavy choice, and if you can find a way to use stats or something else to do the grouping, that'd probably be cheaper.

Other things to try:

| transaction  endswith="running=no"

I didn't test it, but by removing the 'startswith' you may just get the timespans between "no's" -- and maybe that's closer to what you're looking for.

Hope that helps.

Re: Help with Transaction

pbarbuto — Tue, 02 Jul 2019 18:21:03 GMT

Hey that did it! Thanks!