Splunk Search

How to define a transaction search based on different start and end formats?

Engager

I am a Splunk newbie at beginner level. Trying to use transactions to get the length of duration of a given user session, and other analysis there of.

The session start entry (single Splunk entry with three lines) looks like:

TIMESTAMP New Session
ID:RANDOMSESSIONID
Session ready

The session end entry (single Splunk entry with two lines) looks like:

TIMESTAMP Session destroyed
Destroyed session ID MATCHINGRANDOMSESSIONID

I am not sure how my transaction definition in Splunk should look like. Any help appreciated.

0 Karma
1 Solution

Legend

I would suggest adding a maxevents count, just to keep the transaction command quick.

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 | table ID duration

Now, if you are interested in looking at transactions that didn't get destroyed, you need to keepevicted

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 keepevicted=t | where closed_txn=0

View solution in original post

Legend

I would suggest adding a maxevents count, just to keep the transaction command quick.

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 | table ID duration

Now, if you are interested in looking at transactions that didn't get destroyed, you need to keepevicted

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" | transaction ID startswith="ready" endswith="destroyed" maxevents=2 keepevicted=t | where closed_txn=0

View solution in original post

Engager

um. How do I extract ID ? The end session line is actually like "Destroyed session ID isRAMDOMSESSIONID". Note the 'is' and no space after it.

0 Karma

Legend

Try this. I've updated my original query to include this

... | rex "ID:(?<ID>[^\s]+)" | rex "Destroyed session ID is(?<ID>[^\s]+)" 
0 Karma

Super Champion

i generally try to avoid transaction, however, you could try something like this:

...|rex field=_raw is(?<ID>.*)|transaction ID startswith="ready" endswith="destroyed"
0 Karma

Engager

Unfortunately this didn't work. Seemed to match the session start with a different session end. Possibly because of the different session formats. For a 8 minute session, the duration is being shown as 11k plus, implying its using a different unrelated session end for duration calculation.

0 Karma

Engager

Thank you! I wasn't sure how to extract ID because the start session format is different from end session format. So looks like we can grab extract it from either place.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!