Splunk Search

Getting Transaction Times Without Transaction Command

RMartinezDTV
Path Finder

Hi, I'm working on speeding up searches that I initially wrote using the transaction command.

A transaction is defined in my case as two different timestamped events (each event has 2 data lines). I want to get the average transaction time of all transactions occurring in a 10min period, which I can do with this:

<data> | transaction transID maxevents=2 | timechart span=10m avg(duration)

I'm attempting to avoid the transaction command in order to use auto-acceleration and speed-up execution time. My best attempt so far is the following (based on the Splunk doc example):

<data> | stats min(_time) AS start max(_time) AS end by transID | eval RTT=end-start | eval t=strftime(start, "%m/%d/%y %H:%M:%S") | table t, RTT | chart avg(RTT) by t

which might be a little redundant but gets me the following output:

Timestamp                    avg(RTT)
11/12/13 11:18:00            0.10945
11/12/13 11:18:01            0.13556

I'd like to somehow chart this over time like the transaction command.

Can someone point me in the right direction? I thought the timechart command could be used if the first column of data is a timestamp but all my combinations of chart/timechart return "No Results Found".

0 Karma
1 Solution

Ayn
Legend

No, what timechart does is roughly this: "bucket _time | chart somefunction(X) over _time". So it's got nothing to do with what is in the first column - _time will always be used.

Building on your example you could just switch the last chart command for bucket start | chart avg(RTT) over start by t if you want to get results over time.

View solution in original post

Ayn
Legend

No, what timechart does is roughly this: "bucket _time | chart somefunction(X) over _time". So it's got nothing to do with what is in the first column - _time will always be used.

Building on your example you could just switch the last chart command for bucket start | chart avg(RTT) over start by t if you want to get results over time.

RMartinezDTV
Path Finder

| stats min(_time) AS start max(_time) AS end by transID | eval RTT=end-start | eval _time=start | timechart avg(RTT)

The key is to set the implicit _time field to be my calculated time field (called start). Then timechart works correctly. The bucketing idea works as well, but this is more concise.

0 Karma

RMartinezDTV
Path Finder

Thanks so much!
Between this advice and your comments on this thread about time format conversion: http://answers.splunk.com/answers/52806/string-to-time-and-then-timechart I have exactly what I need. I'll put my search query below for others to learn from.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...