Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Average duration only if all stages complete

johnsmithbitter
Explorer
‎02-03-2014 03:31 AM

I'm trying to create a search that provides me with the average duration between VALIDATED and ARCHIVED only if it completes all the stages of the report. If a stage fails a FAILED message is written

The issue I currently have is the FAILED message creates a report called other in the chart

VALIDATED
STARTED
FINISHED
STARTED
FINISHED
ARCHIVED

index=myindex | transaction startswith="VALIDATED" endswith="ARCHIVED NOT FAILED" | timechart avg(duration) by Report

Thanks in Advanced

Tags (2)
0 Karma
Reply

johnsmithbitter
Explorer
‎02-13-2014 10:45 PM

.... | eval is_failed = mvfind(status_type, "FAILED") | where isnull(is_failed) | transaction report startswith="VALIDATED" endswith="ARCHIVED" | table report,duration

Worked! Thanks for your help Kristian

... | transaction report | at the start didn't seem to work for some reason

0 Karma
Reply

johnsmithbitter
Explorer
‎02-17-2014 08:37 PM

Thanks for explanation I have updated the search. I did noticed a typo

Thanks for your help!!

0 Karma
Reply

kristian_kolb
Ultra Champion
‎02-13-2014 11:52 PM

Ooh, no... I think that you're not getting correct results.

The point of my earlier suggestion was to do the grouping first (i.e. the transaction), and then remove all transactions where either of the events have a FAILED status.

By removing the FAILED events before creating the transaction, you'll get the wrong results.

Also, the point of the mvfind() is that it the transaction creates a multi-valued field of status_type. Filtering regular fields can be done directly with status_type != FAILED (though this is not what you want in this case).

Please post som sample events.

Reply

johnsmithbitter
Explorer
‎02-11-2014 06:39 PM

Added update, thanks Kristian

0 Karma
Reply

johnsmithbitter
Explorer
‎02-09-2014 07:25 PM

updated -------- Captcha won't work on edit!

Thanks for looking at this for me Kristian

fields

event_type= Context,Enrichment,Calculation,Archival
Status_type= Validated,Started,Finished,Archived,Failed
Report= bb_12334_999 (Unique report id)

Stages the report goes through

Event_type= Context Status_type= Validated

Context Validated,
Enrichment Started,
Enrichment Finished,
Calculation Started,
Calculation Finished,
Archival Archived,

The 'Archived not Failed' in the search above was me just trying things to get it to work. I thought having a NOT statement somewhere would stop them being included, but I've tried it in numerous place but can't get it to work.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎02-12-2014 12:44 PM

Maybe I'm misunderstanding this, but is the Report in each of the events. If so, did you try :

... | transaction Report | eval is_failed = mvfind(Status_type, "FAILED") | where isnull(is_failed)
Reply

kristian_kolb
Ultra Champion
‎02-03-2014 03:44 AM

Please provide some more information;

Will a process where a stage fails move on to have ARCHIVED status? Or will it stop with the FAILED message?

What is "Report"? Some unique ID?

Does the string "ARCHIVED NOT FAILED" exist as such in a single event?

Please provide a few sample events.

/K

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...