I have built a search with transaction which works beautifully on 6.1.2 and now I am trying to get base transaction events which mark the beginning of a problem. I am filtering down my transaction using the duration field e.g. "| search duration>3". After reading the documentation for localize, if I supply a reasonable maxpause value and set timebefore and timeafter to 0 I should get a list of events which localize my incidents. I have tried maxpause of 30s, 5s, default which is documented as 60s, and I have both left timebefore and timeafter as the default and tried zero and no matter what, localize appears t0 be giving me little or zero results when there are clearly events in the results before localize. Does this sound like a misuse or a bug? Can you think of another way to get the event count per incident and the times of base events/transactions in each blob of slow transactions as found by my search?
[UPDATE - thanks ppablo]
Thanks ppablo, I understand, it would take me a while to sufficiently mask my data. The basic things at play are pretty simple though, transaction is grouping my data into sets of two events, a request and a response, and it is adding a duration field. I am adding "| search duration > 3" to locate interesting transactions and I want to use localize to tell me something about the clumps of these slow transactions, most importantly the time of the first one.
As a little more concrete example consider the following search:
In a certain hour, this produces 543 transactions in the results, made up of 543 event pairs and most of these can be localized, by looking at the timeline, to 5 separate 4-15 second incidents which are not continuous. After reading what the localize command did, I surmised that I could do the following and get 5 results including the ranges of these incidents:
Thanks for viewing and at least thinking about is Splunk answers community. I solved my problem by writing an python search command which I named clusterstats and I shared it with the world at http://apps.splunk.com/app/1869/