Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alternative of transaction ?

lain179
Communicator
‎05-24-2013 04:28 PM

I have log lines that I need to group by 4 or 5 fields so that I can find the duration. I am using transaction, but it takes a long, long, long time even for 4 hours period. What's the best way to go around it?

Thanks

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-25-2013 12:28 AM

As martin_mueller noted, transaction can be rather resource expensive, and the stats variant he presented works well in a lot of situations. However, you might also (really really) need to limit the amount of events that the transaction command has to operate on.

This can be done by setting time constraints, specifying index, host, source, sourcetype etc, filtering out unwanted events, e.g. NOT debug.

Hope this helps,

k

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-25-2013 04:17 AM

Indeed - regardless of transaction, that's a good approach for every search and will make the stats substitute faster as well.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-24-2013 05:47 PM

An often quicker way to compute pseudo-transactions is stats with a by-attribute. Consider this:

some search | stats earliest(_time) as _time range(_time) as duration by transaction_id

This will compute the start and duration of each transaction. If you need more fields you can add more to the stats - the less you need, the faster it will be.

Note, this lacks features of transaction such as maxspan, maxpause, and so on. If you need those you will likely have to stick with transaction. You can use those to optimize the query by the way - if you for example know the maximum duration you may be able to drastically reduce the number of open transactions and speed things up without switching to stats.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...