Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alternative to "transaction" command

clyde772
Communicator
‎07-20-2012 10:14 PM

Hey Splunkers~!

What is the alternative to "transaction" command? altimately to calculate transaction duration. We are in an LB environment where the data is scattered amongst 4 indexers. I've heard that transaction isn't map reduce-able.

Could a guru share a tip on calculating transaction duration with out using transaction? "stat" would work, but what would be a good way?

so it will look like

stats values(_time), values(desc), count by SESSION_ID

What would be a good way to calculate the start and end time?

Cheers!

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎07-20-2012 11:07 PM

Well, it is map-reduceable (and map-reduced by Splunk), it's just not very efficiently map-reduceable, due to fact that all events must be sent to the search head to assemble a transaction. However, if you are only interested in the duration, yes, you don't need to send all events, and therefore there are more efficient ways to compute it.

... | stats earliest(_time) as start latest(_time) as end by SESSION_ID | eval dur=end-start

or

... | stats range(_time) as dur by SESSION_ID
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...