topic Re: transaction that ends if a certain value changes in Splunk Search

transaction that ends if a certain value changes

christianhuber — Wed, 05 Jul 2017 12:33:09 GMT

Hi all,

I'am sure there was already someone that had this problem and there is probably a answer right in front of me. But with all the effort reading trough splunk answer I couldn't find a proper solution.

My Log file:

12:00:00 name=SENSOR1 value=true
12:02:00 name=SENSOR1 value=true
12:03:00 name=SENSOR1 value=true
12:04:00 name=SENSOR1 value=false
12:05:00 name=SENSOR1 value=false
12:10:00 name=SENSOR1 value=false
12:11:00 name=SENSOR1 value=true
12:12:00 name=SENSOR1 value=true
12:13:00 name=SENSOR1 value=true
12:14:00 name=SENSOR1 value=true
12:15:00 name=SENSOR1 value=false

What I would like to have as e result:

12:00:00 name=SENSOR1 value=true duration=240
12:04:00 name=SENSOR1 value=false duration=420
12:11:00 name=SENSOR1 value=true duration=240

My Current Search :

value=true | transaction value, name maxpause=140s |append [search value=false | transcation value, name maxpause=140s]

Which gives me

12:00:00 name=SENSOR1 value=true duration=180
12:04:00 name=SENSOR1 value=false duration=60
12:10:00 name=SENSOR1 value=false duration=0
12:11:00 name=SENSOR1 value=true duration=180

So I know the Problem I have is the maxpause, how can I handle that problem ? If I'am increasing the maxpause it will combine events that shouldn't be together. But I still would like to have one event for as this is in my case one transaction, and it's possible that a sensor doesn't send regularly a status value.

any help or link to a already answered question would be nice

Christian

Re: transaction that ends if a certain value changes

cmerriman — Wed, 05 Jul 2017 15:10:03 GMT

try to use streamstats.

| makeresults |eval data="time=12:00:00 name=SENSOR1 value=true, time=12:02:00 name=SENSOR1 value=true,time=12:03:00 name=SENSOR1 value=true,time=12:04:00 name=SENSOR1 value=false,time=12:05:00 name=SENSOR1 value=false,time=12:10:00 name=SENSOR1 value=false,time=12:11:00 name=SENSOR1 value=true,time=12:12:00 name=SENSOR1 value=true,time=12:13:00 name=SENSOR1 value=true,time=12:14:00 name=SENSOR1 value=true,time=12:15:00 name=SENSOR1 value=false"|makemv data delim="," |mvexpand data|rename data as _raw|kv|convert auto(time) as _time|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Streamstats

adding something along the lines of:

|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

might help. might need a little adjusting, though

Re: transaction that ends if a certain value changes

sbbadri — Tue, 29 Sep 2020 14:43:05 GMT

I hope it helps,

Re: transaction that ends if a certain value changes

christianhuber — Fri, 07 Jul 2017 07:54:01 GMT

Hi,

Thanks but I think the problem will resists as, the maxpause is still making sure that after 140s no event receives, a new transaction is started.

Re: transaction that ends if a certain value changes

christianhuber — Fri, 07 Jul 2017 07:54:36 GMT

I will try this, a give feedback. At the first glance it looks pretty good for me.