Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alternative to "transaction" command

clyde772
Communicator
‎07-20-2012 10:14 PM

Hey Splunkers~!

What is the alternative to "transaction" command? altimately to calculate transaction duration. We are in an LB environment where the data is scattered amongst 4 indexers. I've heard that transaction isn't map reduce-able.

Could a guru share a tip on calculating transaction duration with out using transaction? "stat" would work, but what would be a good way?

so it will look like

stats values(_time), values(desc), count by SESSION_ID

What would be a good way to calculate the start and end time?

Cheers!

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎07-20-2012 11:07 PM

Well, it is map-reduceable (and map-reduced by Splunk), it's just not very efficiently map-reduceable, due to fact that all events must be sent to the search head to assemble a transaction. However, if you are only interested in the duration, yes, you don't need to send all events, and therefore there are more efficient ways to compute it.

... | stats earliest(_time) as start latest(_time) as end by SESSION_ID | eval dur=end-start

or

... | stats range(_time) as dur by SESSION_ID
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...