Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate time between events - query taking a long time

giguere1
Engager
‎05-12-2015 02:37 PM

Here is my query:

index=something st=something (EventID=9999 OR EventID=9998 OR EventID=9997 OR EventID=9996) | transaction maxspan=10s maxpause=2 host startswith=eval(EventID=9997 OR EventID=9996) endswith=eval(EventID=9999 OR EventID=9998)

The first 2 events are the start of the event and the last 2 events are the end of the event. Any help would be appreciated. Thanks.

Tags (2)
0 Karma
Reply

giguere1
Engager
‎05-19-2015 09:55 AM

Both streamstats and transcation are taking forever. I talked to our enterprise admin and ran job inspector on the search. Everything is failing because of a misconfig in dispatch.conf. I guess we have a ticket in with splunk right now, but it looks like that will need to get cleaned up before any of this gets better. Thanks for all your help. I am still open to more ideas.
-pg

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-19-2015 10:04 AM

All glory to the job inspector.

Reply

woodcock
Esteemed Legend
‎05-14-2015 06:53 AM

As far as multiple transactions/hosts, so long as transaction events with the same host do not intermingle, this can also be handled without transaction like this:

index=something st=something (EventID=9999 OR EventID=9998 OR EventID=9997 OR EventID=9996) | eval startswith=if((EventID=9997 OR EventID=9996),_time,null()) | streamstats current=f last(startswith) AS startswithByHost by host | eval duration=startswithByHost-_time

Once this is run, every event will contain 2 new fieds: startswithByHost is the _time value of the nearest previous 9997 or 9996 that shares the same host value as this event and duration is the difference between this event's _time value and startswithByHost. Now the user can tack on any additional pipes/commands that he needs to finish his summary, all without the heavy overhead (which was the OP's original complaint, that of the "long time") of the transaction command.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-14-2015 07:35 AM

eventstats would assign one value for all events, giving you incorrect durations. This may be made to work with streamstats though.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-14-2015 07:57 AM

Correct, I meant streamstats; good catch!

 index=something st=something (EventID=9999 OR EventID=9998 OR EventID=9997 OR EventID=9996) | eval startswith=if((EventID=9997 OR EventID=9996),_time,null()) | streamstats last(startswith) AS startswithByHost by host | eval duration=startswithByHost-_time
0 Karma
Reply

giguere1
Engager
‎05-18-2015 08:40 AM

AWESOME! I'm trying this now. Sorry guys, I was on vacation most of last week.
-pg

0 Karma
Reply

woodcock
Esteemed Legend
‎05-13-2015 05:08 PM

The transaction does many things that you don't appear to need; try this instead (simpler and quicker):

index=something st=something (EventID=9999 OR EventID=9998 OR EventID=9997 OR EventID=9996) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by host | eval duration=lastTime-firstTime
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-14-2015 02:15 AM

This is going to break terribly as soon as one host has more than one transaction in the searched timespan.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-12-2015 03:21 PM

To see what's taking up the time you could post the job inspector output.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-12-2015 03:06 PM

Help with what exactly?

0 Karma
Reply

giguere1
Engager
‎05-12-2015 03:08 PM

I want to show the amount of time on a barchart per day that is transacting for all hosts in one number. Right now this query, they way i have it, is taking far too long to gen. I am looking for more efficient ways to do this.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...