topic Re: How to display the results of my transaction search in a table? in Splunk Search

How to display the results of my transaction search in a table?

Imjusttesting — Fri, 05 Feb 2016 13:32:00 GMT

Hi Everyone,

I'm having an issue displaying transaction data in Table.
The end result should look like this:

No | Driver ID | Start Date | Start Time | End Date | End Time |
1  |ACBCD      |2/5/2016    |09:00       |2/5/2016  |18:00     |

There are 2 criteria:
1) Total driving time exceed 8 hrs within 24 hrs by Start Time
2) End time is determine by Gap of more than 30 minutes

My searchstring looks like this, but is not able to display as a table

sourcetype="xxxxxx" | transaction maxspan=8h maxpause=30m
| sort _time | streamstats count as TripNo by username
| table _time

Appreciate and feedback.

Re: How to display the results of my transaction search in a table?

Richfez — Fri, 05 Feb 2016 13:44:34 GMT

Without fixing anything else that may (or may not) be wrong with the search, your table doesn't include all the other items. Try something like...

sourcetype="xxxxxx" | transaction maxspan=8h maxpause=30m
| sort _time | streamstats count as TripNo by username
| table TripNo, username, start_date, start_time, end_date, end_time

You will obviously have to use your own fieldnames - you didn't provide a sample event to work with so I could only pseudo-code them up.

Re: How to display the results of my transaction search in a table?

Imjusttesting — Fri, 05 Feb 2016 13:54:54 GMT

Thanks.

I tried your search string, Tripno, Username are included but Start and End time are not included.
Is there any way to include the Start and End time?

I'm using the _time for all event.

Re: How to display the results of my transaction search in a table?

Richfez — Fri, 05 Feb 2016 13:55:24 GMT

I'm also not sure this search will do quite what you want. I think your criteria 2 should be fine with your maxpause.

Criteria 1 - what actually do you mean? If you mean they CAN'T drive longer than 8 hours in a day, that's different from they SHOULDN'T drive more than 8 hours a day, which is completely different from "Find transactions where they DID drive longer than 8 hours in a 24 hour period." In several of those cases you may end up wanting maxspan=24h. You may have overlapping transactions within periods, though, which may force you to take a different tack. It would probably be worth a different question to answer that (to keep this one clean and easy to search), but there are answers for trickier things like that, see this as an example (the comments).

Those thoughts and links were just to get you started, hopefully just that bit of info will help you clarify what you are actually trying to display. If you need help with that, please ask, otherwise, have fun Splunking!

Re: How to display the results of my transaction search in a table?

renjith_nair — Fri, 05 Feb 2016 14:00:05 GMT

Try this for table format

sourcetype="xxxxxx" | transaction maxspan=8h maxpause=30m| sort _time 
|streamstats count as TripNo by username|eval end=_time+duration
|eval "Start Date"=strftime(_time,"%d-%b-%Y")|eval "End Date"=strftime(end,"%d-%b-%Y")
|eval "Start Time"=strftime(_time,"%H:%M:%S")|eval "End Time"=strftime(end,"%H:%M:%S")
|table TripNo username "Start Date" "Start Time" "End Date" "End Time"

Re: How to display the results of my transaction search in a table?

Imjusttesting — Fri, 05 Feb 2016 14:05:24 GMT

Thanks @renjith.nair

This work perfectly fine.
Now the next issues, are the criteria;
1) Total driving time exceed 8 hrs within 24 hrs by Start Time
2) End time is determine by Gap of more than 30 minutes

When i look at the Table, some of the data are not group within the 8 hours span and the Stop don't have a 30 mins gap

What the best way to deal with this?

Re: How to display the results of my transaction search in a table?

Imjusttesting — Fri, 05 Feb 2016 14:08:59 GMT

The 1st criteria is, we only need to identify driver that are driving for more than 8 hours.
2nd criteria, the Stop, is identify if there is more than 30 mins Gap.
(The data are constantly send every 1 mins and if the engine is cut off, nothing is send. Thus if there is no event between 30 mins after the last record, then that is a Stop)

Hope this clarify everything

Re: How to display the results of my transaction search in a table?

renjith_nair — Sat, 06 Feb 2016 02:58:40 GMT

Sorry didn't quite get that .
By 1 , do you mean
You want to find transaction which span across 24 hours and then divide them in 8 hrs span? or you want only thos transactions which are more than 8 hours only?

By 2 , Gap between what? between two transactions?

Re: How to display the results of my transaction search in a table?

Imjusttesting — Tue, 09 Feb 2016 02:18:51 GMT

Sorry, missed your message

1) I would like to include transaction which are more than 8 hours
2) The 30 mins gap is between the transaction. Meaning if there a 30 mins gap between the transaction, the next event will be a new event

Re: How to display the results of my transaction search in a table?

renjith_nair — Wed, 10 Feb 2016 04:54:37 GMT

If you would like to include only transaction which are more than 8hrs, then i think maxpause won't work here since maxpause limits the transaction to 8 hours

     Syntax: maxpause=<int>[s | m | h | d]
    Description: Specifies the maximum time in seconds, minutes, hours, or days that the events can span. The maxpause constraint requires there be no pause between a transaction's events of greater than maxpause. If value is negative, disable the maxpause constraint. 
    Default: -1 (no limit)

You should use maxpause only if the driver is supposed to drive only "x" hours which is not your case i believe.

If you have any other uniquely identified fields in these events to co-relate two events rather than time based, that would make things easier

Once you correct the initial search , then you can add |where duration > 28800 to get the transactions more than 8 hours

Re: How to display the results of my transaction search in a table?

Imjusttesting — Sun, 14 Feb 2016 12:53:14 GMT

Thanks 🙂
Working good.