Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to define transaction that begin and end with the same condition?

unitedmarsupial
Path Finder
‎12-05-2019 03:15 PM

We have periodic events of the same kind and I want to count the time (duration) and the number of other events (eventcount) between them. For example, consider streams of events coming from different streams:

stream=1: Marker
stream=2: Marker
stream=1: Marker
stream=3: Marker
stream=3: Marker
stream=2: Marker

I tried using a transaction with the same start- and stop- condition:

transaction stream startswith=Marker endswith=Marker

expecting it to do what I want -- but instead, every such "transaction" has a duration of 0 and event-count of 1. Instead of three transactions in the above example, I got six...

How can I create a stream of transactions, where the starting event of the next one is also the ending event of the previous?

0 Karma
Reply

woodcock
Esteemed Legend
‎12-06-2019 11:39 AM

Like this:

Your Search Here
| streamstats count(eval(YourMarkerFieldHere="YourMarkerValueHere")) AS sessionID
| stats count BY sessionID
Reply

to4kawa
Ultra Champion
‎12-06-2019 11:33 AM 
| makeresults count=2 
| streamstats count 
| eval _time=if((count == 2),relative_time('_time',"-1@d"),relative_time('_time',"@m")) 
| makecontinuous span=1m 
| eval stream=((random() % 3) + 1)
`comment("this is sample data")`
| streamstats count
| xyseries count stream _time
| sort count
| eval count=1
| stats delim="," list(*) as stream* by count
| eval count=max(mvcount(stream1),mvcount(stream2),mvcount(stream3))
| eval counter=mvrange(1,count)
| mvexpand counter
| foreach stream*
    [eval stream_<<MATCHSTR>> = mvindex(<<FIELD>>,counter - 1)]
| autoregress stream_1 as stream_1_p
| autoregress stream_2 as stream_2_p
| autoregress stream_3 as stream_3_p
| fields stream_*
| foreach stream_* stream_*_p 
    [eval duration_stream_<<MATCHSEG1>>= round(stream_<<MATCHSEG1>> - stream_<<MATCHSEG1>>_p)]
| foreach stream_* 
    [eval <<FIELD>>=strftime(<<FIELD>>,"%F %T")]
| fields - stream_*_*

I tried various things on the premise of extracting the stream fields.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-05-2019 11:13 PM

@unitedmarsupials

Sample events and expected output will be help us to work on your issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...