Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to define a transaction search based on different start and end formats?

psteja
Engager
‎12-06-2016 12:24 PM

I am a Splunk newbie at beginner level. Trying to use transactions to get the length of duration of a given user session, and other analysis there of.

The session start entry (single Splunk entry with three lines) looks like:

TIMESTAMP New Session
ID:RANDOMSESSIONID
Session ready

The session end entry (single Splunk entry with two lines) looks like:

TIMESTAMP Session destroyed
Destroyed session ID MATCHINGRANDOMSESSIONID

I am not sure how my transaction definition in Splunk should look like. Any help appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-06-2016 01:33 PM

I would suggest adding a maxevents count, just to keep the transaction command quick.

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 | table ID duration

Now, if you are interested in looking at transactions that didn't get destroyed, you need to keepevicted

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 keepevicted=t | where closed_txn=0

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-06-2016 01:33 PM

I would suggest adding a maxevents count, just to keep the transaction command quick.

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 | table ID duration

Now, if you are interested in looking at transactions that didn't get destroyed, you need to keepevicted

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 keepevicted=t | where closed_txn=0
Reply
Solved! Jump to solution

psteja
Engager
‎12-06-2016 01:55 PM

um. How do I extract ID ? The end session line is actually like "Destroyed session ID isRAMDOMSESSIONID". Note the 'is' and no space after it.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-07-2016 07:04 AM

Try this. I've updated my original query to include this

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)"
0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎12-06-2016 01:25 PM

i generally try to avoid transaction, however, you could try something like this:

...|rex field=_raw is(?<ID>.*)|transaction ID startswith="ready" endswith="destroyed"
0 Karma
Reply
Solved! Jump to solution

psteja
Engager
‎12-07-2016 03:34 AM

Unfortunately this didn't work. Seemed to match the session start with a different session end. Possibly because of the different session formats. For a 8 minute session, the duration is being shown as 11k plus, implying its using a different unrelated session end for duration calculation.

0 Karma
Reply
Solved! Jump to solution

psteja
Engager
‎12-06-2016 02:40 PM

Thank you! I wasn't sure how to extract ID because the start session format is different from end session format. So looks like we can grab extract it from either place.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top