Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Use Earliest Starting Field in Transaction

Traer001
Path Finder
‎04-29-2021 11:40 AM

Hello,

I have events that look like this (for a user with id 123):

2021-04-29 14:30:45 Notification Received [User Id:123, location:null, location id:null]
2021-04-29 14:30:22 Response Sent for user id:123
2021-04-29 14:30:15 Notification Received [User Id:123, location:null, location id:null]
2021-04-29 14:29:56 Notification Received [User Id:123, location:null, location id:null]
2021-04-29 14:29:43 Notification Received [User Id:123, location:null, location id:null]
2021-04-29 14:29:35 Response Sent for user id:123
2021-04-29 14:28:59 Notification Received [User Id:123, location:null, location id:null]

 

I have a query where I am getting transactions that start with a Notification Received message and end with a Response Sent. My query works, but it does not start a transaction with the earliest instance of a starting point. So currently my query would return transactions with the timestamps of:

1)  2021-04-29 14:28:59  and  2021-04-29 14:29:35

2)  2021-04-29 14:30:15  and  2021-04-29 14:30:22

But I want the second transaction to retrieve the below instead:

2021-04-29 14:29:43  and  2021-04-29 14:30:22

 

Is there a way to do this in a transaction? Or a way to rewrite the query to get this?

My query looks like this:

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "Notification\sReceived\s\[User\sId:(?<user_id>\d+),\slocation:\w+,\slocation id:\w+\]"
| rex field=_raw "Response\sSent\sfor\suser\sid:(?<user_id>\d+)"
| where user_id<2000
| sort 0 user_id, -_time
| transaction user_id startswith="Notification" endswith="Response" maxopenevents=2
| where duration>0
| rename _time as message_arrival
| eval message_arrived_at=strftime(message_arrival, "%Y-%m-%d %H:%M:%S")
| eval response_sent_at=strftime(message_arrival + duration, "%Y-%m-%d %H:%M:%S")
| table user_id, message_arrived_at, response_sent_at, duration

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Traer001
Path Finder
‎04-29-2021 02:09 PM

Thank you for the reply! Unfortunately this solution did not work for me. However, it did remind me of an idea to try. Instead of going straight into the transaction after sorting, I did a reverse time sort and then used streamstats to count the different actions (Notification vs. Response) in order, resetting the count when the action changed. Then I reversed the time sort again and was able to retrieve the earliest events for each stream of actions. Using that I was able to get the accurate transaction results. The query is below.

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "Notification\sReceived\s\[User\sId:(?<user_id>\d+),\slocation:\w+,\slocation id:\w+\]"
| rex field=_raw "Response\sSent\sfor\suser\sid:(?<user_id>\d+)"
| eval action=if(like(_raw, "%Response%"), 1, 0)
| where user_id<2000
| sort 0 user_id, _time
| streamstats count as count_value by user_id action reset_on_change=true
| where count_value=1
| sort 0 user_id, -_time
| transaction user_id startswith="Notification" endswith="Response"
| where duration>0 | rename _time as message_arrival
| eval message_arrived_at=strftime(message_arrival, "%Y-%m-%d %H:%M:%S")
| eval response_sent_at=strftime(message_arrival + duration, "%Y-%m-%d %H:%M:%S")
| table user_id, message_arrived_at, response_sent_at, duration

View solution in original post

Reply
Solved! Jump to solution
Solution

Traer001
Path Finder
‎04-29-2021 02:09 PM

Thank you for the reply! Unfortunately this solution did not work for me. However, it did remind me of an idea to try. Instead of going straight into the transaction after sorting, I did a reverse time sort and then used streamstats to count the different actions (Notification vs. Response) in order, resetting the count when the action changed. Then I reversed the time sort again and was able to retrieve the earliest events for each stream of actions. Using that I was able to get the accurate transaction results. The query is below.

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "Notification\sReceived\s\[User\sId:(?<user_id>\d+),\slocation:\w+,\slocation id:\w+\]"
| rex field=_raw "Response\sSent\sfor\suser\sid:(?<user_id>\d+)"
| eval action=if(like(_raw, "%Response%"), 1, 0)
| where user_id<2000
| sort 0 user_id, _time
| streamstats count as count_value by user_id action reset_on_change=true
| where count_value=1
| sort 0 user_id, -_time
| transaction user_id startswith="Notification" endswith="Response"
| where duration>0 | rename _time as message_arrival
| eval message_arrived_at=strftime(message_arrival, "%Y-%m-%d %H:%M:%S")
| eval response_sent_at=strftime(message_arrival + duration, "%Y-%m-%d %H:%M:%S")
| table user_id, message_arrived_at, response_sent_at, duration

Reply
Solved! Jump to solution

manjunathmeti
Champion
‎04-29-2021 12:41 PM

hi @Traer001,

Try this.

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "Notification\sReceived\s\[User\sId:(?<user_id>\d+),\slocation:\w+,\slocation id:\w+\]"
| rex field=_raw "Response\sSent\sfor\suser\sid:(?<user_id>\d+)"
| rex "^(?<timestamp>\d+-\d+-\d+\s\d+:\d+:\d+)\s(?<status>\w+)" 
| eval sField=if(status="Response", 1, 0) 
| where user_id<2000 
| sort 0 user_id, _time 
| delta sField p=1 as delta 
| search NOT delta=0 
| sort 0 -_time 
| transaction user_id startswith="Notification" endswith="Response" maxopenevents=2
| where duration>0
| rename _time as message_arrival
| eval message_arrived_at=strftime(message_arrival, "%Y-%m-%d %H:%M:%S")
| eval response_sent_at=strftime(message_arrival + duration, "%Y-%m-%d %H:%M:%S")
| table user_id, message_arrived_at, response_sent_at, duration

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...