Splunk Search

How to find the duration of overlapping transactions

raynold_peterso
Path Finder

Ok,

I have two or more transactions like this:

Host:abc123_01 start:08:00 end:10:00
Host:abc123_02 start:09:05 end:11:00

If you look the time windows of the transactions overlap. I would like to be able to calculate the duration of the overlap itself.

Not sure if there is an automated way.

Any help would be appreciated,
Rcp

0 Karma

woodcock
Esteemed Legend

You can do some crazy stuff with concurrency:
https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Concurrency

Search for woodcock splunk answers concurrency and maybe something that I have written before will get you going.

woodcock
Esteemed Legend
0 Karma

DalJeanis
Legend

Adapt one of these -

https://answers.splunk.com/answers/513002/how-to-graph-sum-of-overlapping-values-given-start.html#an...
https://answers.splunk.com/answers/565112/suggestions-for-charting-backlogs-by-month.html

The basic idea is to break each transaction into two - one that +1s the count at the start, and one that -1s the count at the end. In your use case, any increment of time where the total open count is 2 or more is a unit of overlap.

cpetterborg
SplunkTrust
SplunkTrust

Will you always have only two events to match up?

If you will have more than two, will you have them already correlated (like with a transaction command)?

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @raynold.peterson, don't forget to accept an answer if one of these solutions worked for you. 🙂 Everyone loves karma points! Happy Splunking!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...