https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176641#M50742 <P>Following query has been used to calculate duration for individual source (input files) for last 5 days:</P> <PRE><CODE>index="my_index" earliest=-5d latest=now| transaction source maxevents=-1 | eval day=strftime(_time,"%m/%d/%Y")| sort - day sourcetype| table day,sourcetype,source,duration </CODE></PRE> <P>Only transaction by source is used, hoping it would capture all the input files which have unique file name, thus separating its sourcetype and date.</P> <P>Basically, just need to display duration per individual source file per sourcetype per day.</P> <P>Thanks,</P> <P>Sanjay </P> Thu, 12 Dec 2013 15:45:12 GMT sanjay_shrestha 2013-12-12T15:45:12Z https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176641#M50742 <P>Following query has been used to calculate duration for individual source (input files) for last 5 days:</P> <PRE><CODE>index="my_index" earliest=-5d latest=now| transaction source maxevents=-1 | eval day=strftime(_time,"%m/%d/%Y")| sort - day sourcetype| table day,sourcetype,source,duration </CODE></PRE> <P>Only transaction by source is used, hoping it would capture all the input files which have unique file name, thus separating its sourcetype and date.</P> <P>Basically, just need to display duration per individual source file per sourcetype per day.</P> <P>Thanks,</P> <P>Sanjay </P> Thu, 12 Dec 2013 15:45:12 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176641#M50742 sanjay_shrestha 2013-12-12T15:45:12Z https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176642#M50743 <P>Because you have no limit to the number of events in your transaction, and because you have no start and end points for your transactions, and furthermore you have nothing limiting the transactions other than "source", then you are going to get 1 event (transaction) per source value you have.</P> <P>You should calculate the day first, then use the day together with the source in your transaction. Like so:<BR /> index="my_index" earliest=-5d latest=now | eval day=strftime(_time,"%m/%d/%Y") | transaction source day maxevents=-1 | sort - day sourcetype| table day,sourcetype,source,duration</P> Mon, 28 Sep 2020 15:28:20 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176642#M50743 aholzer 2020-09-28T15:28:20Z https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176643#M50744 <P>Now the above simply answers your question. I'm sure that there is a more efficient way of going about doing what you need, but I currently don't have time to work on it <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> <P>Hope the above helps.</P> Thu, 12 Dec 2013 16:25:09 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176643#M50744 aholzer 2013-12-12T16:25:09Z https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176644#M50745 <P>It worked by adding keepevicted=true to transaction command.</P> Thu, 12 Dec 2013 16:54:28 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176644#M50745 sanjay_shrestha 2013-12-12T16:54:28Z https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176645#M50746 <P>There is a much more efficient way to do this:</P> <PRE><CODE>index="my_index" earliest=-5d latest=now | eval day=strftime(_time,"%m/%d/%Y") | stats range(_time) as duration by day sourcetype source | eval duration=tostring(duration,"duration") </CODE></PRE> <P>This is faster and more scalable.</P> Thu, 12 Dec 2013 16:57:21 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176645#M50746 lguinn2 2013-12-12T16:57:21Z https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176646#M50747 <P>Thanks. It worked better that using transaction.</P> Thu, 12 Dec 2013 17:23:11 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-by-source-sourcetype-day/m-p/176646#M50747 sanjay_shrestha 2013-12-12T17:23:11Z