Solved: Add a column with values based on whether or not i...

Splunkster45 · ‎01-06-2015

I want to be able to create a column on the statistic tab that has 1 if it is the start of the transaction or a 0 if it is the end of the transaction.
I figure that I need to use something similar to: | eval start_conditaion= and | eval stop_conditaion= however I'm not exactly sure how to write it.

Here's my code:

sourcetype="id_advanced" id2=* session=* | eval mytime=_time
| transaction id2 session startswith="start" endswith="stop"
| eval transactionid=id2._time
| stats min(mytime) AS start max(mytime) AS stop values(id2) AS id values(duration) AS duration by transactionid
| eval mytimeconcat="1_".start." -1_".stop
| eval mytimemv=split(mytimeconcat," ")
| mvexpand mytimemv

Here's what the raw data looks like:
2012-12-01 10:00:00 id2=A session=1 start
2012-12-01 10:10:00 id2=A session=1 whatever
2012-12-01 10:30:00 id2=A session=1 stop
2012-12-01 11:00:00 id2=B session=2 start
2012-12-01 11:05:00 id2=B session=2 whatever
2012-12-01 11:10:00 id2=C session=3 start
2012-12-01 11:15:00 id2=C session=3 whatever
2012-12-01 11:20:00 id2=C session=3 stop
2012-12-01 11:35:00 id2=B session=2 stop
2012-12-01 12:00:00 id2=D session=4 start
2012-12-01 12:10:00 id2=D session=5 start
2012-12-01 12:15:00 id2=D session=4 whatever
2012-12-01 12:20:00 id2=D session=4 stop
2012-12-01 12:20:00 id2=D session=5 stop

Since the mytimemv commands all look like 1_number or -1_number (depending on if it is a start or stop) I could potentially have one column be populated with a 1 with the mytimemv column starts with a 1 and the second column be populated with a 1 if the mytimemv column starts with a -1. However, a transaction command might not even be necessary, but I was going another direction with this earlier and so it is what I have right now. I'd be open to other suggestions.

Thanks in advance!

aweitzman · ‎01-06-2015

Why not just use eval?

...your search... 
| eval Start=if(match(_raw,"start"),1,0) 
| eval Stop=if(match(_raw,"stop"),1,0)
| table _time id2 Start Stop
| where (Start=1 OR Stop=1)

View solution in original post

aweitzman · ‎01-06-2015

Why not just use eval?

...your search... 
| eval Start=if(match(_raw,"start"),1,0) 
| eval Stop=if(match(_raw,"stop"),1,0)
| table _time id2 Start Stop
| where (Start=1 OR Stop=1)

Splunkster45 · ‎01-06-2015

I guess I've been thinking about this too hard. I knew of the match command, but I didn't know about _raw. Thanks

aweitzman · ‎01-06-2015

You're welcome.

aweitzman · ‎01-06-2015

Can you please provide an example of what you want your output to look like? I can't quite figure it out based on the information here.

Splunkster45 · ‎01-06-2015

Here's a rough picture of what I want it to look like. I don't care if there are other columns in there or not.

time................id..............Start..............Stop
10:00..............A...............1....................0
10:30..............A...............0....................1
11:00..............B............... 1...................0
11:10..............B...............0....................1
11:20..............C...............1....................0
11:35..............C............... 0...................1
12:00..............D...............1....................0
12:10..............D...............1....................0
12:20..............D...............0....................1
12:20..............D...............0....................1

Add a column with values based on whether or not it is a transaction starting condition or stopping condition

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life