Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I get the rate of a transaction which run in a specific way

Jackiifilwhh
Path Finder
‎03-01-2022 04:53 AM

Background

In my system, every visit consist of one or more transactions and every has its global serial number, which is unique(gsn for short). A transaction may produce many rows of logs but it has the same gsn. A transaction always ends with "trans end transName", while the "transName" means the name of the transaction, a transaction named Test ends with "trans end Test", for example. Every transaction's name is unique.

Questions

Now I have a transaction named A, which in some case will do something specially and log "special". But other transactions will log "special" too. And most 1 "special" and 1 "trans end A" per gsn. How can I get the rate of transaction A that goes this way by just one command or, some fast ways than subsearch?

Tried

Below is what I've tried. The subsearch runs very slowly, which takes 5 min at least. If there's no one-command way, I want to get a  way faster than subsearch.

 

 

//get the count of transaction A
"trans end A" | stats count
//get the count of transaction A that runs specially
join type=inner gsn [search "trans end A"] | regex "special" | stats count

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2022 05:45 AM

Assuming at most 1 "special" and 1 "trans end A" per gsn

| rex "(?<transEndA>trans end A)"
| rex "(?<special>special)"
| stats count(eval(trans="trans end A")) as trans_end_A_count count(eval(special="special")) as special_count by gsn
| where trans_end_A_count=1
| stats sum(trans_end_A_count) as trans_end_A_count sum(special_count) as special_count

View solution in original post

Reply
Solved! Jump to solution

Jackiifilwhh
Path Finder
‎03-01-2022 05:24 AM

@ITWhisperer 

Thank you! I'm sorry that I forget to say that other transactions may log "special" too! So it is not unique. I've modified the question, sorry!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2022 05:45 AM

Assuming at most 1 "special" and 1 "trans end A" per gsn

| rex "(?<transEndA>trans end A)"
| rex "(?<special>special)"
| stats count(eval(trans="trans end A")) as trans_end_A_count count(eval(special="special")) as special_count by gsn
| where trans_end_A_count=1
| stats sum(trans_end_A_count) as trans_end_A_count sum(special_count) as special_count
Reply
Solved! Jump to solution

Jackiifilwhh
Path Finder
‎03-01-2022 06:53 AM

Hi @ITWhisperer 

Woooo! It's amazing! It worked well and I get what I want! When I saw this demand, I first thought of subsearch that connects the whole transaction by using gsn, but you found the nature! Because I'm more familiar with SQL, I prefer to use subsearch or other connected-command and think in SQL's way. I want to know how do you come up with this answer?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2022 07:07 AM

First thing is to forget SQL - Splunk SPL is different

Second thing is to avoid joins and subsearches in general if possible. This is because they are limited by the number of events they can process to 50,000.

The aggregation commands like stats, eventstats, streamstats, chart, timechart, etc. have a by clause which can be use to "join" events.

Using this, it is a case of working out which field (or fields) you can use to "join" your events and then process these aggregated events.

SPL works on a pipeline / stream of events, i.e. each command processes the events it received from further up the chain and passes them on.

Some commands will hold up the events until all events have been received before passing them on, consider sort for example, whereas others can process each event independently.

0 Karma
Reply
Solved! Jump to solution

Jackiifilwhh
Path Finder
‎03-01-2022 07:33 AM

Thank you very much for saying so much to me. I will remember these and think with practice in the future!

0 Karma
Reply
Solved! Jump to solution

Jackiifilwhh
Path Finder
‎03-01-2022 05:51 AM

@ITWhisperer 

Yeah, it's true that most 1 "special" and 1 "trans end A" per gsn. I will try it on my splunk and reply to you soon, thank you!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2022 05:16 AM

If I have understood correctly, you want the count of "trans end A" and the count of "special"?

| rex "(?<transEndA>trans end A)"
| rex "(?<special>special)"
| stats count(eval(transEndA="trans end A")) as trans_end_A_count count(eval(special="special")) as special_count
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...