Splunk Search

How can I get the rate of a transaction which run in a specific way

Jackiifilwhh
Path Finder

Background

In my system, every visit consist of one or more transactions and every has its global serial number, which is unique(gsn for short). A transaction may produce many rows of logs but it has the same gsn. A transaction always ends with "trans end transName", while the "transName" means the name of the transaction, a transaction named Test ends with "trans end Test", for example. Every transaction's name is unique.

Questions

Now I have a transaction named A, which in some case will do something specially and log "special". But other transactions will log "special" too. And most 1 "special" and 1 "trans end A" per gsn. How can I get the rate of transaction A that goes this way by just one command or, some fast ways than subsearch?

Tried

Below is what I've tried. The subsearch runs very slowly, which takes 5 min at least. If there's no one-command way, I want to get a  way faster than subsearch.

 

 

//get the count of transaction A
"trans end A" | stats count
//get the count of transaction A that runs specially
join type=inner gsn [search "trans end A"] | regex "special" | stats count

 

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Assuming at most 1 "special" and 1 "trans end A" per gsn

| rex "(?<transEndA>trans end A)"
| rex "(?<special>special)"
| stats count(eval(trans="trans end A")) as trans_end_A_count count(eval(special="special")) as special_count by gsn
| where trans_end_A_count=1
| stats sum(trans_end_A_count) as trans_end_A_count sum(special_count) as special_count

View solution in original post

Jackiifilwhh
Path Finder

@ITWhisperer 

Thank you! I'm sorry that I forget to say that other transactions may log "special" too! So it is not unique. I've modified the question, sorry!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming at most 1 "special" and 1 "trans end A" per gsn

| rex "(?<transEndA>trans end A)"
| rex "(?<special>special)"
| stats count(eval(trans="trans end A")) as trans_end_A_count count(eval(special="special")) as special_count by gsn
| where trans_end_A_count=1
| stats sum(trans_end_A_count) as trans_end_A_count sum(special_count) as special_count

Jackiifilwhh
Path Finder

Hi @ITWhisperer 

Woooo! It's amazing! It worked well and I get what I want! When I saw this demand, I first thought of subsearch that connects the whole transaction by using gsn, but you found the nature! Because I'm more familiar with SQL, I prefer to use subsearch or other connected-command and think in SQL's way. I want to know how do you come up with this answer?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

First thing is to forget SQL - Splunk SPL is different

Second thing is to avoid joins and subsearches in general if possible. This is because they are limited by the number of events they can process to 50,000.

The aggregation commands like stats, eventstats, streamstats, chart, timechart, etc. have a by clause which can be use to "join" events.

Using this, it is a case of working out which field (or fields) you can use to "join" your events and then process these aggregated events.

SPL works on a pipeline / stream of events, i.e. each command processes the events it received from further up the chain and passes them on.

Some commands will hold up the events until all events have been received before passing them on, consider sort for example, whereas others can process each event independently.

0 Karma

Jackiifilwhh
Path Finder

Thank you very much for saying so much to me. I will remember these and think with practice in the future!

0 Karma

Jackiifilwhh
Path Finder

@ITWhisperer 

Yeah, it's true that most 1 "special" and 1 "trans end A" per gsn. I will try it on my splunk and reply to you soon, thank you!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If I have understood correctly, you want the count of "trans end A" and the count of "special"?

| rex "(?<transEndA>trans end A)"
| rex "(?<special>special)"
| stats count(eval(transEndA="trans end A")) as trans_end_A_count count(eval(special="special")) as special_count
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...