Splunk Search

How to handle properly transactions which starts within the define rangetime but ends after

Flobzh
Explorer

Hello

I'm using the transaction function to compute average duration and identify uncompleted transactions.

Assuming only the events within the selected timerange are taken into account by default, it means that the transactions which start within the selected timerange of the search but ends after are counted as uncompleted transactions.  How can I do to extend the search out of the range for the uncompleted transactions? 

StartSearchtime > StartTransaction > EndTransaction > EndSearchTime = OK 

StartSearchtime > StartTransaction  > EndSearchTime = True KO (case where the EndTransaction never happened)

StartSearchtime > StartTransaction > EndSearchTime > EndTransaction = False KO (case where EndTransaction exists but can only be found after the selected timerange)

Extending the EndSearchTime is not the solution, as the service runs 24/7,  new transactions started within the extended slot will then end up with potential EndTransaction out of the new range. 

Thanks for your help.

Flo

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

0 Karma

Flobzh
Explorer

Hi IT Whisperer,

I was hopping for a transaction parameter which allows to handle such case, but I understand from your answer that the search time range is a hard limit.

Filtering events means that I'll loose a bit of data at the end of the range, but I can live with it.

I've worked something like this to filter on the last 60 sec:

| transaction ...  maxevents=2
| eventstats max(_time) as latestMessage
| where !(eventcount = 1 AND _time > latestMessage-60)

Thanks for your help.

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...