Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Does localize work with transaction or am I misusi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have built a search with transaction which works beautifully on 6.1.2 and now I am trying to get base transaction events which mark the beginning of a problem. I am filtering down my transaction using the duration field e.g. "| search duration>3". After reading the documentation for localize, if I supply a reasonable maxpause value and set timebefore and timeafter to 0 I should get a list of events which localize my incidents. I have tried maxpause of 30s, 5s, default which is documented as 60s, and I have both left timebefore and timeafter as the default and tried zero and no matter what, localize appears t0 be giving me little or zero results when there are clearly events in the results before localize. Does this sound like a misuse or a bug? Can you think of another way to get the event count per incident and the times of base events/transactions in each blob of slow transactions as found by my search?
[UPDATE - thanks ppablo]
Thanks ppablo, I understand, it would take me a while to sufficiently mask my data. The basic things at play are pretty simple though, transaction is grouping my data into sets of two events, a request and a response, and it is adding a duration field. I am adding "| search duration > 3" to locate interesting transactions and I want to use localize to tell me something about the clumps of these slow transactions, most importantly the time of the first one.
As a little more concrete example consider the following search:
[my search] | transaction maxspan=1m startswith=REQ endswith=RES txn_id | search duration > 3
In a certain hour, this produces 543 transactions in the results, made up of 543 event pairs and most of these can be localized, by looking at the timeline, to 5 separate 4-15 second incidents which are not continuous. After reading what the localize command did, I surmised that I could do the following and get 5 results including the ranges of these incidents:
[my search] | transaction maxspan=1m startswith=REQ endswith=RES txn_id | search duration > 3 | localize maxpause=10s timebefore=0 timeafter=0
but it actually only 1 result with a count of 3 so it appears to not be doing what is documented.
Thanks,
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for viewing and at least thinking about is Splunk answers community. I solved my problem by writing an python search command which I named clusterstats and I shared it with the world at http://apps.splunk.com/app/1869/
Yay me!
-sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for viewing and at least thinking about is Splunk answers community. I solved my problem by writing an python search command which I named clusterstats and I shared it with the world at http://apps.splunk.com/app/1869/
Yay me!
-sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @chanfoli
It'll be useful to post examples of your data and the current search you're using for search gurus on Answers to help you out 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
