Splunk Search

Spreading transaction duration over spans


I have some data containing transactions that might take short (a couple of seconds) or very long (hours). I want to have a timechart that shows the duration of the transactions in spans of 15 minutes. I have the following:

source="<source>" | transaction tr startswith="start" endswith="end" | timechart sum(duration) span=15m by tr

This works nicely when the transaction is not longer than 15 minutes, but when the duration is e.g. 1 hour and started at 4 PM, I have a tall bar in the span from 4:00PM to 4:15PM and none in the following 3 spans. What I want is to have a bar of 15 minutes in the first span, 15 minutes in the seconds span (4:15PM to 4:30PM), etc.
Is this possible?


Tags (2)
0 Karma

Ultra Champion

This may not be exactly what you're looking for, but if you just want to have an overview;

... | bucket _time span=15m | dedup tr _time | timechart c span=15m by tr |

Assumption is that the tr transaction identifier can be used as such, without any startswith/endswith constraints. So now you'll have a '1' or '0' for each 15-minute block per transaction. So this will NOT measure the real duration of a transaction, it will just show whether parts of a transaction happened during a 15 min block. This can be visualised like below (although it seems a little buggy on my end). No drilldown and mouse-over on the legend is not reliable.

Click on the little charting icon and then 'formatting options'
ensure it's a column chart,
multi-series mode = split,
missing values = omit
Goto Y-axis, and set the min value to 0.99 max value to 1.01

This will be a rather ugly hack showing the presence of a transaction as (set of) block(s). There will be a small whitespace between connected columns, e.g. --- -- - would indicate three transactions, the first is 45 minutes long, then a 15 min break, then a 30-min transaction, then a 30 min break, and finally a 15 min transaction.

There is probably a simpler way of doing this.


0 Karma


I already was afraid for that. So I understand that using the transaction command is not the way to go. Can it be done in another way? Using bucket, etc.?

0 Karma

Ultra Champion

I believe that the timestamp of the transacation as a whole is set to the timestamp of first event that makes up a transaction. The properties like duration and eventcount, are created once for each transaction. Thus you get a peak at 4PM, and none after that.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...