topic Transaction using datamodel in Splunk Search

Transaction using datamodel

rkd — Tue, 13 Oct 2020 11:00:48 GMT

Hello,

I am trying to calculate the browse time and bandwith usage of users by looking at the log files of the firewall. As far as i can understand the best way to this is to use transaction command. However, to make the transaction command more efficient, i tried to use it with tstats (which may be completely wrong). my assumption is that if there is more than one log for a source IP to a destination IP for the same time value, it is for the same session.

Here is my query:

| tstats sum(datamodel.mbyte) as mbyte from datamodel=datamodel by _time source destination | transaction source destination maxpause=1m

My questions are:

is there a more efficient way to calculate these values?
Max duration value for my query is always equals to maxpause value. Shouldn't be values greater than maxpause.

Thanks in advance

Re: Transaction using datamodel

richgalloway — Tue, 13 Oct 2020 14:42:14 GMT

I wonder if you might misunderstand the transaction command. It merges multiple events based on shared elements. The tstats command with a by clause does a similar thing so you probably don't need both commands. Have you tried tstats by itself to see if it produces the desired results?

Re: Transaction using datamodel

Kaand — Wed, 14 Oct 2020 05:59:43 GMT

Well i may be wrong about transaction, but let me clarify what i need by giving examples. Lets say that i have data as follows:

Event ID	Time	Source	Destination
1	08:00:00	S1	D1
2	08:00:45	S1	D1
3	08:01:30	S1	D1
4	08:02:31	S1	D1

By using transaction i want to group Event ID 1, 2 and 3. Because, the time difference between consecutive events are less than 1min. Here is my desired output:

Transaction ID	Source	Destination	Duration
1	S1	D1	90
2	S1	D1	0

Shouldn't transaction command do that? Am i missing something?