- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to define a transaction search based on differ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am a Splunk newbie at beginner level. Trying to use transactions to get the length of duration of a given user session, and other analysis there of.
The session start entry (single Splunk entry with three lines) looks like:
TIMESTAMP New Session
ID:RANDOMSESSIONID
Session ready
The session end entry (single Splunk entry with two lines) looks like:
TIMESTAMP Session destroyed
Destroyed session ID MATCHINGRANDOMSESSIONID
I am not sure how my transaction definition in Splunk should look like. Any help appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest adding a maxevents count, just to keep the transaction command quick.
... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 | table ID duration
Now, if you are interested in looking at transactions that didn't get destroyed, you need to keepevicted
... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 keepevicted=t | where closed_txn=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest adding a maxevents count, just to keep the transaction command quick.
... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 | table ID duration
Now, if you are interested in looking at transactions that didn't get destroyed, you need to keepevicted
... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 keepevicted=t | where closed_txn=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
um. How do I extract ID ? The end session line is actually like "Destroyed session ID isRAMDOMSESSIONID". Note the 'is' and no space after it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. I've updated my original query to include this
... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i generally try to avoid transaction, however, you could try something like this:
...|rex field=_raw is(?<ID>.*)|transaction ID startswith="ready" endswith="destroyed"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately this didn't work. Seemed to match the session start with a different session end. Possibly because of the different session formats. For a 8 minute session, the duration is being shown as 11k plus, implying its using a different unrelated session end for duration calculation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! I wasn't sure how to extract ID because the start session format is different from end session format. So looks like we can grab extract it from either place.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
