https://community.splunk.com/t5/Splunk-Search/Using-a-parameter-that-records-memory-usage-how-do-I-get-my/m-p/203198#M59036 <P>Please try this.</P> <P>index=iis earliest=-7d@d latest=@d | eval c_time=_time | eval c_time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eventstats max(system_mem) as max_mem, min(system_mem) as min_mem by GUID | search system_mem=max_mem OR system_mem=min_mem | fields - max_mem, min_mem | transaction GUID mvlist=t keepevicted=true | table GUID c_time cs_uri_stem system_mem</P> <P>Hope it helps you.</P> Tue, 29 Sep 2020 07:13:05 GMT thirumalreddyb 2020-09-29T07:13:05Z https://community.splunk.com/t5/Splunk-Search/Using-a-parameter-that-records-memory-usage-how-do-I-get-my/m-p/203196#M59034 <P>Hi,</P> <P>I have a parameter <CODE>system_mem</CODE> that records the memory usage of an application.</P> <P>I am trying to do analysis by using transactions and see each session, for the previous 100 events or so, leading up to the max memory usage.</P> <P>Is it possible to have something like the search below? Currently, my transactions do not end with the maximum <CODE>system_mem</CODE> experienced by the user. Why is this?</P> <PRE><CODE>index=iis earliest=-7d@d latest=@d | eval c_time=_time | eval c_time=strftime(_time,"%Y-%m-%d %H:%M:%S") | transaction GUID maxpause=60min endswith=(eventstats=max(system_mem)) mvlist=t keepevicted=true | table GUID c_time cs_uri_stem system_mem </CODE></PRE> <P>To note I do not have a sessionId, only a unique user ID.</P> <P>Thanks,</P> <P>Dan</P> Wed, 02 Sep 2015 08:31:30 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-parameter-that-records-memory-usage-how-do-I-get-my/m-p/203196#M59034 DanielFordWA 2015-09-02T08:31:30Z https://community.splunk.com/t5/Splunk-Search/Using-a-parameter-that-records-memory-usage-how-do-I-get-my/m-p/203197#M59035 <P>If I understand you correctly and we are assuming that a "session" can be inferred by an increase of memory usage (e.g. so long as memory is increasing, it is the same session; whenever it decreases, a new session has begun), then we can manufacture a sessionID using <CODE>streamstats</CODE> like this:</P> <PRE><CODE>index=iis earliest=-7d@d latest=@d | eval c_time=_time | eval c_time=strftime(_time,"%Y-%m-%d %H:%M:%S") | reverse | streamstats current=f last(system_mem) AS prev_system_mem BY GUID | eval new_session=if((system_mem&lt;prev_system_mem),"TRUE",null()) | streamstats current=t count(new_session) AS sessionID BY GUID </CODE></PRE> <P>Now each GUID's event has a <CODE>sessionID</CODE> field that can be used to distinguish/group events that can be exploited by tacking on something like <CODE>| stats blah blah blah BY GUID sessionID</CODE>.</P> <P>Any time that you can avoid <CODE>transaction</CODE>, you should; it is <EM>very</EM> slow/costly to use it.</P> Wed, 02 Sep 2015 14:07:54 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-parameter-that-records-memory-usage-how-do-I-get-my/m-p/203197#M59035 woodcock 2015-09-02T14:07:54Z https://community.splunk.com/t5/Splunk-Search/Using-a-parameter-that-records-memory-usage-how-do-I-get-my/m-p/203198#M59036 <P>Please try this.</P> <P>index=iis earliest=-7d@d latest=@d | eval c_time=_time | eval c_time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eventstats max(system_mem) as max_mem, min(system_mem) as min_mem by GUID | search system_mem=max_mem OR system_mem=min_mem | fields - max_mem, min_mem | transaction GUID mvlist=t keepevicted=true | table GUID c_time cs_uri_stem system_mem</P> <P>Hope it helps you.</P> Tue, 29 Sep 2020 07:13:05 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-parameter-that-records-memory-usage-how-do-I-get-my/m-p/203198#M59036 thirumalreddyb 2020-09-29T07:13:05Z