Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting Transaction Times Without Transaction Command

RMartinezDTV
Path Finder
‎11-12-2013 11:58 AM

Hi, I'm working on speeding up searches that I initially wrote using the transaction command.

A transaction is defined in my case as two different timestamped events (each event has 2 data lines). I want to get the average transaction time of all transactions occurring in a 10min period, which I can do with this:

<data> | transaction transID maxevents=2 | timechart span=10m avg(duration)

I'm attempting to avoid the transaction command in order to use auto-acceleration and speed-up execution time. My best attempt so far is the following (based on the Splunk doc example):

<data> | stats min(_time) AS start max(_time) AS end by transID | eval RTT=end-start | eval t=strftime(start, "%m/%d/%y %H:%M:%S") | table t, RTT | chart avg(RTT) by t

which might be a little redundant but gets me the following output:

Timestamp                    avg(RTT)
11/12/13 11:18:00            0.10945
11/12/13 11:18:01            0.13556

I'd like to somehow chart this over time like the transaction command.

Can someone point me in the right direction? I thought the timechart command could be used if the first column of data is a timestamp but all my combinations of chart/timechart return "No Results Found".

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎11-12-2013 12:28 PM

No, what timechart does is roughly this: "bucket _time | chart somefunction(X) over _time". So it's got nothing to do with what is in the first column - _time will always be used.

Building on your example you could just switch the last chart command for bucket start | chart avg(RTT) over start by t if you want to get results over time.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎11-12-2013 12:28 PM

No, what timechart does is roughly this: "bucket _time | chart somefunction(X) over _time". So it's got nothing to do with what is in the first column - _time will always be used.

Building on your example you could just switch the last chart command for bucket start | chart avg(RTT) over start by t if you want to get results over time.

Reply
Solved! Jump to solution

RMartinezDTV
Path Finder
‎11-12-2013 01:57 PM

| stats min(_time) AS start max(_time) AS end by transID | eval RTT=end-start | eval _time=start | timechart avg(RTT)

The key is to set the implicit _time field to be my calculated time field (called start). Then timechart works correctly. The bucketing idea works as well, but this is more concise.

0 Karma
Reply
Solved! Jump to solution

RMartinezDTV
Path Finder
‎11-12-2013 01:55 PM

Thanks so much!
Between this advice and your comments on this thread about time format conversion: http://answers.splunk.com/answers/52806/string-to-time-and-then-timechart I have exactly what I need. I'll put my search query below for others to learn from.

0 Karma
Reply
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...

Splunk ITSI & Correlated Network Visibility

 Take Your Network Visibility to the Next LevelIn today’s complex IT environments, performance issues can stem ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...