https://community.splunk.com/t5/Splunk-Search/Getting-Transaction-Times-Without-Transaction-Command/m-p/139170#M38235 <P>Hi, I'm working on speeding up searches that I initially wrote using the <EM>transaction</EM> command.</P> <P>A transaction is defined in my case as two different timestamped events (each event has 2 data lines). I want to get the average transaction time of all transactions occurring in a 10min period, which I can do with this:</P> <PRE><CODE>&lt;data&gt; | transaction transID maxevents=2 | timechart span=10m avg(duration) </CODE></PRE> <P>I'm attempting to avoid the transaction command in order to use auto-acceleration and speed-up execution time. My best attempt so far is the following (based on the Splunk doc example):</P> <PRE><CODE>&lt;data&gt; | stats min(_time) AS start max(_time) AS end by transID | eval RTT=end-start | eval t=strftime(start, "%m/%d/%y %H:%M:%S") | table t, RTT | chart avg(RTT) by t </CODE></PRE> <P>which might be a little redundant but gets me the following output:</P> <PRE><CODE>Timestamp avg(RTT) 11/12/13 11:18:00 0.10945 11/12/13 11:18:01 0.13556 </CODE></PRE> <P>I'd like to somehow chart this over time like the transaction command.</P> <P>Can someone point me in the right direction? I thought the timechart command could be used if the first column of data is a timestamp but all my combinations of chart/timechart return "No Results Found".</P> Tue, 12 Nov 2013 19:58:14 GMT RMartinezDTV 2013-11-12T19:58:14Z https://community.splunk.com/t5/Splunk-Search/Getting-Transaction-Times-Without-Transaction-Command/m-p/139170#M38235 <P>Hi, I'm working on speeding up searches that I initially wrote using the <EM>transaction</EM> command.</P> <P>A transaction is defined in my case as two different timestamped events (each event has 2 data lines). I want to get the average transaction time of all transactions occurring in a 10min period, which I can do with this:</P> <PRE><CODE>&lt;data&gt; | transaction transID maxevents=2 | timechart span=10m avg(duration) </CODE></PRE> <P>I'm attempting to avoid the transaction command in order to use auto-acceleration and speed-up execution time. My best attempt so far is the following (based on the Splunk doc example):</P> <PRE><CODE>&lt;data&gt; | stats min(_time) AS start max(_time) AS end by transID | eval RTT=end-start | eval t=strftime(start, "%m/%d/%y %H:%M:%S") | table t, RTT | chart avg(RTT) by t </CODE></PRE> <P>which might be a little redundant but gets me the following output:</P> <PRE><CODE>Timestamp avg(RTT) 11/12/13 11:18:00 0.10945 11/12/13 11:18:01 0.13556 </CODE></PRE> <P>I'd like to somehow chart this over time like the transaction command.</P> <P>Can someone point me in the right direction? I thought the timechart command could be used if the first column of data is a timestamp but all my combinations of chart/timechart return "No Results Found".</P> Tue, 12 Nov 2013 19:58:14 GMT https://community.splunk.com/t5/Splunk-Search/Getting-Transaction-Times-Without-Transaction-Command/m-p/139170#M38235 RMartinezDTV 2013-11-12T19:58:14Z https://community.splunk.com/t5/Splunk-Search/Getting-Transaction-Times-Without-Transaction-Command/m-p/139171#M38236 <P>No, what <CODE>timechart</CODE> does is roughly this: "<CODE>bucket _time | chart somefunction(X) over _time</CODE>". So it's got nothing to do with what is in the first column - <CODE>_time</CODE> will always be used.</P> <P>Building on your example you could just switch the last <CODE>chart</CODE> command for <CODE>bucket start | chart avg(RTT) over start by t</CODE> if you want to get results over time.</P> Tue, 12 Nov 2013 20:28:12 GMT https://community.splunk.com/t5/Splunk-Search/Getting-Transaction-Times-Without-Transaction-Command/m-p/139171#M38236 Ayn 2013-11-12T20:28:12Z https://community.splunk.com/t5/Splunk-Search/Getting-Transaction-Times-Without-Transaction-Command/m-p/139172#M38237 <P>Thanks so much!<BR /> Between this advice and your comments on this thread about time format conversion: <A href="http://answers.splunk.com/answers/52806/string-to-time-and-then-timechart">http://answers.splunk.com/answers/52806/string-to-time-and-then-timechart</A> I have <EM>exactly</EM> what I need. I'll put my search query below for others to learn from.</P> Tue, 12 Nov 2013 21:55:48 GMT https://community.splunk.com/t5/Splunk-Search/Getting-Transaction-Times-Without-Transaction-Command/m-p/139172#M38237 RMartinezDTV 2013-11-12T21:55:48Z https://community.splunk.com/t5/Splunk-Search/Getting-Transaction-Times-Without-Transaction-Command/m-p/139173#M38238 <P><DATA> | stats min(_time) AS start max(_time) AS end by transID | eval RTT=end-start | eval _time=start | timechart avg(RTT)</DATA></P> <P>The key is to set the implicit _time field to be my calculated time field (called start). Then timechart works correctly. The bucketing idea works as well, but this is more concise.</P> Mon, 28 Sep 2020 15:15:52 GMT https://community.splunk.com/t5/Splunk-Search/Getting-Transaction-Times-Without-Transaction-Command/m-p/139173#M38238 RMartinezDTV 2020-09-28T15:15:52Z