topic Re: transaction command for same type of multiple events in Splunk Search

transaction command for same type of multiple events

sunny_871 — Fri, 16 Aug 2024 15:20:25 GMT

Hi, I have a scenario where I want to calculate the duration between 1st and last event. The thing is these events can happen multiple times for the same session.

The 1st event can happen multiple times and everytime it is the exact same thing but I only want the transaction to start from very first event so that we know what is the exact duration.

Sample events below - See the last 2 events where one says MatchPending and another one says MatchCompleted.

What I want is to calculate the duration between 1st event and last event where it says MatchCompleted

Any help is appreciated.

Best Regards,
Shashanlk

Re: transaction command for same type of multiple events

renjith_nair — Sat, 17 Aug 2024 02:34:32 GMT

If you have identifier of each transaction such as transaction id, use stats to get the earliest and latest

for e.g.

your search |earliest(_time) as starttime,latest(_time) as endtime by transactionID|eval duration=endtime-starttime

Re: transaction command for same type of multiple events

sunny_871 — Mon, 19 Aug 2024 09:06:24 GMT

@renjith_nair Thanks for the response but I don't think your solution is fully working.

I tried it like below but then _time will not be available for me to plot the graph. I need to plot that duration on a graph. Is there a way to do that?

| stats earliest(_time) as starttime,latest(_time) as endtime by uniqueId | eval duration=endtime-starttime | timechart span=15m p95(duration) as p95Responsetime

Re: transaction command for same type of multiple events

PickleRick — Mon, 19 Aug 2024 09:12:00 GMT

Since you're aggregating a relatively long-spanned set of events into a single data point you have to make a concious decision which point in time to assume as the timestamp for the result. You can easily assign a value to the _time field just by doing

| eval _time=something

But you have to decide which timestamp to use.

Is it the start time for your transaction? Is it the endtime? Maybe it's a middle of the transaction... It's up to you to make that decision.

Anyway, when dealing with _time in stats, there's not much point in using latest() and earliest(). min() and max() suffice 🙂

Re: transaction command for same type of multiple events

sunny_871 — Mon, 19 Aug 2024 09:18:53 GMT

Hey @PickleRick Apologies I dont think I have fully understood what you are trying to imply here.

My objective is to calculate duration between 2 set of events but one of those 2 events can happen multiple times. It is like sending a request to an API and then validate the response. If the response is not what was expected then send the same request again and keep sending until you get the expected response.

So my objective is to calculate the time when the 1st request was sent and when the last expected response was received.

Please find the set of events again here.

Re: transaction command for same type of multiple events

PickleRick — Mon, 19 Aug 2024 09:42:09 GMT

OK. From the top.

You have a set of events. Each event has the _time field describing when the event happened.

You're using the stats command to find earliest and latest (or min and max which in this case boils down to the same thing) values of this field for each uniqueId.

As an output you have three fields - starttime, endtime and uniqueId.

You no longer have the _time field.

Timechart must have the _time field since it, well, it charts over the time.

So you have to assign some value to the _time field manually. You can do it either by using eval as I showed previously or simply by adding another aggregation to your stats. For example

| stats earliest(_time) as starttime,latest(_time) as endtime avg(_time) as _time by uniqueId

That's just one of possible ways of doing that (of course you can use avg(_time), min(_time), max(_time) or any other aggregation function which makes sense in this context).