Knowledge Management

use of streamstats over transaction command

ips_mandar
Builder

I have below sample events-
type=2, time=04/03/2020 01:01:000
type=3, time=04/03/2020 01:16:000
type=3, time=04/03/2020 01:22:000
type=2, time=04/03/2020 02:20:000
type=4, time=04/03/2020 03:00:000
here I want duration which startswith="type=2" and endswith="type=3 OR type=4" without using transction command since using transaction query becomes very slow.
can I achieve above using streamstats?
Thanks,

Tags (1)
0 Karma

woodcock
Esteemed Legend

Try this:

Index="YouShouldAlwaysSpecifyIndex" AND sourcetype="And sourcetypeToo"
| streamstats count(eval(type="3")) AS sessionID BY source
| stats range(_time) AS duration values(type) AS type BY sessionID
| search type="2" AND type="3"

to4kawa
Ultra Champion
index=yours sourcetype=yours
| eval time=strptime(time, "%m/%d/%Y %T%1N")
| reverse
| streamstats count(eval(type="2")) as sessions by source
| stats range(time) as duration by sessions

I don't know your field extraction.
let's fix it.

ips_mandar
Builder

Let me give you some brief detail-
type-2 means gps connection loss and type-3 means it is gps connection restored.
Now I want to know for how much duration gps was loss so start with type-2 and end with type-3.
But in data type-3 may come multiple times in consecutive and similarly for type-2.
and in one source those strings will multiple times and i want to calculate duration by source and within one source there can be may gps loss happened and i want all those loss duration.
Hope this helps to understand my query clearly.
I have just now designed one query which will work only if I select one source in start of query but it won't be working for all source using by clause and global=false in streamstats.

|streamstats range(_time) as duration reset_after="("match(Type,\"2\")")" global=f window=2 by source

appreciate your help.

to4kawa
Ultra Champion

I see your situation.
please provide sample log.

0 Karma

to4kawa
Ultra Champion

what's transaction id?
and in your sample, what's the durations?

0 Karma

ips_mandar
Builder

transaction id is source and duration starts from type=2 until first type=3

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...