Knowledge Management

use of streamstats over transaction command


I have below sample events-
type=2, time=04/03/2020 01:01:000
type=3, time=04/03/2020 01:16:000
type=3, time=04/03/2020 01:22:000
type=2, time=04/03/2020 02:20:000
type=4, time=04/03/2020 03:00:000
here I want duration which startswith="type=2" and endswith="type=3 OR type=4" without using transction command since using transaction query becomes very slow.
can I achieve above using streamstats?

Tags (1)
0 Karma

Esteemed Legend

Try this:

Index="YouShouldAlwaysSpecifyIndex" AND sourcetype="And sourcetypeToo"
| streamstats count(eval(type="3")) AS sessionID BY source
| stats range(_time) AS duration values(type) AS type BY sessionID
| search type="2" AND type="3"

Ultra Champion
index=yours sourcetype=yours
| eval time=strptime(time, "%m/%d/%Y %T%1N")
| reverse
| streamstats count(eval(type="2")) as sessions by source
| stats range(time) as duration by sessions

I don't know your field extraction.
let's fix it.


Let me give you some brief detail-
type-2 means gps connection loss and type-3 means it is gps connection restored.
Now I want to know for how much duration gps was loss so start with type-2 and end with type-3.
But in data type-3 may come multiple times in consecutive and similarly for type-2.
and in one source those strings will multiple times and i want to calculate duration by source and within one source there can be may gps loss happened and i want all those loss duration.
Hope this helps to understand my query clearly.
I have just now designed one query which will work only if I select one source in start of query but it won't be working for all source using by clause and global=false in streamstats.

|streamstats range(_time) as duration reset_after="("match(Type,\"2\")")" global=f window=2 by source

appreciate your help.

Ultra Champion

I see your situation.
please provide sample log.

0 Karma

Ultra Champion

what's transaction id?
and in your sample, what's the durations?

0 Karma


transaction id is source and duration starts from type=2 until first type=3

0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...