Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using transaction to detect timeouts

jbrenner
Path Finder
‎08-31-2017 10:35 AM

I would like to use the transaction command to find adjacent log entries with the same IP and different Session IDs.
Ideally, I would only like to return adjacent pairs of log statements with at least a 15 minute timestamp difference between them.

Here is the REX I'm using to extract SESSION_ID:

rex field=_raw "-S:(?<SESSION_ID>\w+)-"

Thanks!
Jonathan

0 Karma
Reply

woodcock
Esteemed Legend
‎09-02-2017 05:28 PM

Try this:

Your Base Search Here
|  rex field=_raw "-S:(?<SESSION_ID>\w+)-"
| streamstats time_window=900 min(_time) AS start range(_time) AS duration values(SESSION_ID) dc(SESSION_ID) AS numSessions BY host
| search numSessions>1
0 Karma
Reply

cmerriman
Super Champion
‎08-31-2017 12:12 PM

some examples of your data would be helpful. transaction will only allow you to put in arguments for max pause, though you could search for durations after the fact. 

|transaction IP SESSION_ID maxevents=2|search duration>=900

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Transaction

i prefer streamstats, myself.

|sort 0 IP SESSION_ID + _time
| streamstats window=1 current=f values(_time) as previousTime by IP SESSION_ID|eval duration=_time-previousTime|search duration>=900

http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Streamstats

just for ideas.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...