Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

transaction startswith 1, endswith multiple

leea11
Engager
‎05-29-2014 10:00 AM

Hi all, simple question I hope.
I have a system that has one starting event with multiple outputs and I want to find out how long it takes for the system to produce each output. When I use a transaction, it only seems to give me the combination of the input and just one of the outputs, where I actually need all of the outputs. 

transaction  activity_id startswith=input_event_name, endswith=output_event_name

Any ideas how I can include all the the outputs? Or is there a much better way to do this?

Many thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wpreston
Motivator
‎05-29-2014 01:54 PM

How about using stats instead of transaction? Perhaps something like this:

... your search ... 
| eval StartTime=if(searchmatch("input_event_name"),_time,null()) 
| eval EndTime=if(searchmatch("output_event_name"),_time,null()) 
| stats values(StartTime) as StartTime values(EndTime) as EndTime by activity_id
| mvexpand EndTime
| eval TransactionTime=EndTime - StartTime

This will give you the activity_id, start time, end time, and duration for every instance of output_event_name. If you need to see other information, just modify the stats statement to include it.

View solution in original post

Reply
Solved! Jump to solution
Solution

wpreston
Motivator
‎05-29-2014 01:54 PM

How about using stats instead of transaction? Perhaps something like this:

... your search ... 
| eval StartTime=if(searchmatch("input_event_name"),_time,null()) 
| eval EndTime=if(searchmatch("output_event_name"),_time,null()) 
| stats values(StartTime) as StartTime values(EndTime) as EndTime by activity_id
| mvexpand EndTime
| eval TransactionTime=EndTime - StartTime

This will give you the activity_id, start time, end time, and duration for every instance of output_event_name. If you need to see other information, just modify the stats statement to include it.

Reply
Solved! Jump to solution

wpreston
Motivator
‎05-30-2014 05:59 AM

You're very welcome, happy to help!

0 Karma
Reply
Solved! Jump to solution

leea11
Engager
‎05-30-2014 02:16 AM

A thousand thank yous wpreston, that worked a treat!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-29-2014 12:29 PM

Can you provide some sample logs?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2014 10:26 AM

I don't know how to handle that situation in a transaction, but perhaps this will help.

input_event_name | join activity_id max=0 overwrite=false [ search output_event_name ] | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...