Splunk Search

How to handle properly transactions which starts within the define rangetime but ends after

Flobzh
Explorer

Hello

I'm using the transaction function to compute average duration and identify uncompleted transactions.

Assuming only the events within the selected timerange are taken into account by default, it means that the transactions which start within the selected timerange of the search but ends after are counted as uncompleted transactions.  How can I do to extend the search out of the range for the uncompleted transactions? 

StartSearchtime > StartTransaction > EndTransaction > EndSearchTime = OK 

StartSearchtime > StartTransaction  > EndSearchTime = True KO (case where the EndTransaction never happened)

StartSearchtime > StartTransaction > EndSearchTime > EndTransaction = False KO (case where EndTransaction exists but can only be found after the selected timerange)

Extending the EndSearchTime is not the solution, as the service runs 24/7,  new transactions started within the extended slot will then end up with potential EndTransaction out of the new range. 

Thanks for your help.

Flo

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

0 Karma

Flobzh
Explorer

Hi IT Whisperer,

I was hopping for a transaction parameter which allows to handle such case, but I understand from your answer that the search time range is a hard limit.

Filtering events means that I'll loose a bit of data at the end of the range, but I can live with it.

I've worked something like this to filter on the last 60 sec:

| transaction ...  maxevents=2
| eventstats max(_time) as latestMessage
| where !(eventcount = 1 AND _time > latestMessage-60)

Thanks for your help.

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...