topic Re: How to get a transaction command to work with a combination of indexTime and another field? in Splunk Search

How to get a transaction command to work with a combination of indexTime and another field?

dmacgillivray — Tue, 20 Sep 2016 19:10:21 GMT

Good Afternoon Splunk,

I have a question about some data that I am trying to evaluate for the transaction command. Below I have a snapshot of the data I am trying to get a the transaction statement to work but I have to be somewhat creative.

The goal is that I am trying to get the last event in this transaction, the max or last value. I believe to signify the transaction I may be able to start with the "Send To State" field as that is always = 0

But the end of the transaction I am having some trouble with, as you can see the data is not all that helpful.

My anticipated query for index time. Seems to at least pick up values in steps.

| eval IndexTime=strftime(_indextime, "%Y-%m-%d %H:%M:%S")

Somehow I would like to correlate the index time and another field so that I may then say
SendToState was the beginning of this and the end was the combination of an indextime and some other field, but I am at a loss what I could do. Any help would be appreciated.

Thanks,
Daniel MacGillivray

Re: How to get a transaction command to work with a combination of indexTime and another field?

lguinn2 — Wed, 21 Sep 2016 00:24:21 GMT

What would "a transaction" look like? What defines a transaction - same type/sub-type of report? How does "IndexTime" affect the transaction?

It might be helpful to see the entire search string that you have so far...

Re: How to get a transaction command to work with a combination of indexTime and another field?

haley_swarnapat — Tue, 29 Sep 2020 11:03:56 GMT

It seems what you need is not a transaction, but a streamstats instead. append this to your SPML query:

| SORT "Type of Report", "Report Sub Type", "Report Generation Start Time", - _indextime
| STREAMSTATS current=t reset_on_change=t first(_indextime) as "first_time" last(_indextime) as "current_time" by "Type of Report", "Report Sub Type", "Report Generation Start Time"
| EVAL isfirst=IF(first_time==current_time, 1, 0)
| SEARCH isfirst=1

It should show you only the "last line" (max _indextime) for each report you generated

Re: How to get a transaction command to work with a combination of indexTime and another field?

dmacgillivray — Wed, 21 Sep 2016 15:52:46 GMT

Thanks Haley, as I was thinking about what Lguinn said to me previously, I found it difficult to have a transaction without values that were really going to work similar to a Web or VPN or some other type of transactional type logic.

Thanks everyone for your assistance, and working with me on this.