Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to handle properly transactions which starts within the define rangetime but ends after

Flobzh
Explorer
‎05-30-2024 07:57 AM

Hello

I'm using the transaction function to compute average duration and identify uncompleted transactions.

Assuming only the events within the selected timerange are taken into account by default, it means that the transactions which start within the selected timerange of the search but ends after are counted as uncompleted transactions.  How can I do to extend the search out of the range for the uncompleted transactions? 

StartSearchtime > StartTransaction > EndTransaction > EndSearchTime = OK 

StartSearchtime > StartTransaction  > EndSearchTime = True KO (case where the EndTransaction never happened)

StartSearchtime > StartTransaction > EndSearchTime > EndTransaction = False KO (case where EndTransaction exists but can only be found after the selected timerange)

Extending the EndSearchTime is not the solution, as the service runs 24/7,  new transactions started within the extended slot will then end up with potential EndTransaction out of the new range. 

Thanks for your help.

Flo

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2024 08:39 AM

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2024 08:39 AM

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

0 Karma
Reply
Solved! Jump to solution

Flobzh
Explorer
‎05-30-2024 10:34 AM

Hi IT Whisperer,

I was hopping for a transaction parameter which allows to handle such case, but I understand from your answer that the search time range is a hard limit.

Filtering events means that I'll loose a bit of data at the end of the range, but I can live with it.

I've worked something like this to filter on the last 60 sec:

| transaction ...  maxevents=2
| eventstats max(_time) as latestMessage
| where !(eventcount = 1 AND _time > latestMessage-60)

Thanks for your help.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...