Splunk Search

How to handle properly transactions which starts within the define rangetime but ends after

Flobzh
Explorer

Hello

I'm using the transaction function to compute average duration and identify uncompleted transactions.

Assuming only the events within the selected timerange are taken into account by default, it means that the transactions which start within the selected timerange of the search but ends after are counted as uncompleted transactions.  How can I do to extend the search out of the range for the uncompleted transactions? 

StartSearchtime > StartTransaction > EndTransaction > EndSearchTime = OK 

StartSearchtime > StartTransaction  > EndSearchTime = True KO (case where the EndTransaction never happened)

StartSearchtime > StartTransaction > EndSearchTime > EndTransaction = False KO (case where EndTransaction exists but can only be found after the selected timerange)

Extending the EndSearchTime is not the solution, as the service runs 24/7,  new transactions started within the extended slot will then end up with potential EndTransaction out of the new range. 

Thanks for your help.

Flo

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

0 Karma

Flobzh
Explorer

Hi IT Whisperer,

I was hopping for a transaction parameter which allows to handle such case, but I understand from your answer that the search time range is a hard limit.

Filtering events means that I'll loose a bit of data at the end of the range, but I can live with it.

I've worked something like this to filter on the last 60 sec:

| transaction ...  maxevents=2
| eventstats max(_time) as latestMessage
| where !(eventcount = 1 AND _time > latestMessage-60)

Thanks for your help.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...