Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to handle properly transactions which starts within the define rangetime but ends after

Flobzh
Explorer
‎05-30-2024 07:57 AM

Hello

I'm using the transaction function to compute average duration and identify uncompleted transactions.

Assuming only the events within the selected timerange are taken into account by default, it means that the transactions which start within the selected timerange of the search but ends after are counted as uncompleted transactions.  How can I do to extend the search out of the range for the uncompleted transactions? 

StartSearchtime > StartTransaction > EndTransaction > EndSearchTime = OK 

StartSearchtime > StartTransaction  > EndSearchTime = True KO (case where the EndTransaction never happened)

StartSearchtime > StartTransaction > EndSearchTime > EndTransaction = False KO (case where EndTransaction exists but can only be found after the selected timerange)

Extending the EndSearchTime is not the solution, as the service runs 24/7,  new transactions started within the extended slot will then end up with potential EndTransaction out of the new range. 

Thanks for your help.

Flo

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2024 08:39 AM

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2024 08:39 AM

Extending the end time is the solution, only you then have to filter out any transactions which started after your required time period end time. (How else are you going to find the ends of the transactions if you don't include these events in your search?)

0 Karma
Reply
Solved! Jump to solution

Flobzh
Explorer
‎05-30-2024 10:34 AM

Hi IT Whisperer,

I was hopping for a transaction parameter which allows to handle such case, but I understand from your answer that the search time range is a hard limit.

Filtering events means that I'll loose a bit of data at the end of the range, but I can live with it.

I've worked something like this to filter on the last 60 sec:

| transaction ...  maxevents=2
| eventstats max(_time) as latestMessage
| where !(eventcount = 1 AND _time > latestMessage-60)

Thanks for your help.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...