Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can a transaction command retrieve results outside the select date/time range

jpcontrerasadit
Explorer
‎11-02-2017 07:06 AM

I am using a transaction command to correlated web requests and responses which arrive as different events. The search returns accurate results for a full day (i.e. yesterday, a specific day, etc.) except when the request is made prior to midnight and the response is made after midnight. Is there a way to allow the transaction command to evaluate events from the next day although they are outside of the range selected in the Date Picker? If not, would using a join or sub-search approach provide me the opportunity to get the responses from the next day only for those requests open from the prior day?

0 Karma
Reply

traxxasbreaker
Communicator
‎11-02-2017 07:29 AM

Transaction does not go outside the time range of the search since it is only grouping events after they have been returned and does not affect the results returned by previous pipes in the search.

What you might want to do is expand the time range a little bit on either end to try to catch those starts and ends. For example you could include 11:55 PM to 12:05 AM, then filter further down in the search for transactions where adding the duration to_time doesn't put it on the current date to get rid of ones that started and finished before midnight. Filter again for transactions where _time gives the current date to rule out anything that started after midnight. To do that, you'd want to look at eval functions like strftime(), now(), relative_time().

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-02-2017 07:24 AM

Hi jpcontrerasaditum,
no it's not possible because each command after pipe ("|") takes in input the result of all that there's before pipe.

As workaround, you could create a dashboard where in one panel you can put your main search to locate the transaction to check.
Then with a click on the row you want to verify, you open a new panel in the same dashboard showing only events related to that transaction that you can identify with a transaction code or with the fields you used in the transaction command.

You could also put both the searches in the same panel but the resulting search will be very slow!

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...