Solved: Getting transaction without using transaction comm...

melonman · ‎05-12-2014

Hi

I am using Hunk and I am looking for a way to get transaction (grouping events by userid with start transaction and stop transaction event).

For example, I have events something like this:

2014/05/01 00:00:01 userid=u01 action=start
2014/05/01 00:00:02 userid=u02 action=start
2014/05/01 00:00:03 userid=u01 action=stop
2014/05/01 00:00:04 userid=u03 action=start
2014/05/01 00:00:05 userid=u03 action=stop
2014/05/01 00:00:06 userid=u01 action=start
2014/05/01 00:00:07 userid=u01 action=stop
2014/05/01 00:00:08 userid=u02 action=stop

Search result with transaction command is :

index=main sourcetype=transtest
| transaction userid startswith=action=start endswith=action=stop
| table _time userid duration'

           _time            userid duration
--------------------------- ------ --------
2014-05-01 00:00:06.000 JST u01           1
2014-05-01 00:00:04.000 JST u03           1
2014-05-01 00:00:02.000 JST u02           6
2014-05-01 00:00:01.000 JST u01           2

My try without transaction command is like this :

index=main sourcetype=transtest
| stats min(_time) as _time max(_time) as max by userid
| eval duration = max - _time
| table _time userid duration

           _time            userid duration
--------------------------- ------ --------
2014-05-01 00:00:01.000 JST u01           6
2014-05-01 00:00:02.000 JST u02           6
2014-05-01 00:00:04.000 JST u03           1

I want to get the result I get from transaction command, but I can not use transaction command because of the limitation of Hunk.

Is there any way to get transaction information without using transaction command?

Any commend would be appreciated.

Ledion_Bitincka · ‎05-12-2014

Melonman, what exactly are you trying to get out of the data? Maybe we can find a way to get it without using transactions command

View solution in original post

Ledion_Bitincka · ‎05-12-2014

Melonman, what exactly are you trying to get out of the data? Maybe we can find a way to get it without using transactions command

Ledion_Bitincka · ‎05-12-2014

Hmmm, since events are not guaranteed to be processed in any particular order and you absolutely need order to match the most recent start with the correct stop event (to compute the duration) there's no way around this without transaction. You can force the ordering of the events before transaction, eg. "search .... | sort - _time | transaction ...."

melonman · ‎05-12-2014

I am trying to get the duration (time between start and stop) for each userid and each transaction. After what, I want to get the count of transaction, min, avg, max of transaction duration for each userid. Probably I will add another search to filter something like where max>100sec or so.

MuS · ‎05-12-2014

Hi melonman,

this is because the stats result for u01 looks like this:

2014/05/01 00:00:01 userid=u01 action=start
2014/05/01 00:00:03 userid=u01 action=stop
2014/05/01 00:00:06 userid=u01 action=start
2014/05/01 00:00:07 userid=u01 action=stop

and using min and max on this will result in min=00:00:01 max=00:00:07, therefore you will get a duration of 6.

based on the provided example data and using streamstats I can get what you want:

the base search to get the events | streamstats current=f last(userid) AS last_userid last(action) AS last_action last(_time) as last_time by userid | eval duration=last_time - _time  | where last_action="stop" AND action="start" | table _time userid duration

the result will look like this:

Hope this helps ...

cheers, MuS

MuS · ‎05-12-2014

dammit.... 🙂

melonman · ‎05-12-2014

Thank you very much for your great thought.
However, streamstats does not guarantee ddescending time order of events :

http://docs.splunk.com/Documentation/Hunk/6.1/Hunk/Searchavirtualindex

Ummm...

Getting transaction without using transaction command

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk