topic Re: Transaction startswith in Splunk Search

Transaction startswith

andrey2007 — Mon, 28 Sep 2020 13:47:27 GMT

Hello,
i group my events in transactions by user and day
...| transaction user day and then calculate duration, eventcount, time of transaction started and finished
in logs there are fields action_type and action_time
i want transaction to start with action_type=login and action_time for this action_type for this user and day is minimal,
i.e. i want start transaction since first time user login this day

something like this... | transaction user day startswith=min(action_time for action_type=login)

What commands should i write?
Thank a lot for answers!

Re: Transaction startswith

emiller42 — Fri, 26 Apr 2013 00:19:12 GMT

... | transaction user day startswith(action_type="login")

This will start a transaction on first action_type="login" and not close it until the next day.

When you use startswith, you can have it be freeform text, an eval, or a valid search string. They have different syntax which is somewhat confusing in the documentation. The () indicates search syntax instead of simple text matching.

Re: Transaction startswith

andrey2007 — Fri, 26 Apr 2013 07:41:34 GMT

Thanks, but this way i will get number of transactions equal to number of users logins for this day, but i need 1 transaction with all user actions since first login for day

Re: Transaction startswith

kristian_kolb — Fri, 26 Apr 2013 09:28:00 GMT

You could look at the map command. Not much experience with that myself, but I believe that it could work here.

sourcetype=blah earliest=@d action_type=login
| stats min(_time) as first_login by user 
| map search="search sourcetype=blah starttimeu=$first_login$ user=$user$ 
| table _time action_type user "
| eval time = strftime(_time, "%Y-%m-%d %H:%M:%S") 
| eval time_action = time . " - " . action_type 
| stats list(time_action) as Time-Action by user

This should produce a list like;

user       Time-Action
-----------------------
bob        2013-04-25 11:22:33 - logout
           2013-04-25 11:22:20 - change_value
           2013-04-25 11:20:10 - login
           2013-04-25 09:30:52 - logout
           2013-04-25 09:26:14 - add_user
           2013-04-25 09:21:36 - login

caesar     2013-04-25 11:45:17 - logout
           2013-04-25 11:35:10 - list_products
           2013-04-25 11:17:39 - del_user
           2013-04-25 11:09:29 - login

...

adding | reverse | just before the final stats will list the Time-Action in chronological order (per user).

This is perhaps not exactly what you want, and I'd be happy to see improvements to this query. Actually, it's the first time I've played with the map command.

EDIT: Typo in the search. Sorry.

Re: Transaction startswith

emiller42 — Fri, 26 Apr 2013 14:07:31 GMT

Because we don't specify an 'endswith' or 'maxpause' it won't close the transaction at all. Each transaction will start with the first user login and end on the last event for that user. It will not start subsequent transactions for the same user in the same day.

Re: Transaction startswith

andrey2007 — Fri, 26 Apr 2013 19:15:49 GMT

To Emiller42 I made this way and I got some transactions for the same user in the same day