- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Spreading transaction duration over spans
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Spreading transaction duration over spans
Hi,
I have some data containing transactions that might take short (a couple of seconds) or very long (hours). I want to have a timechart that shows the duration of the transactions in spans of 15 minutes. I have the following:
source="<source>" | transaction tr startswith="start" endswith="end" | timechart sum(duration) span=15m by tr
This works nicely when the transaction is not longer than 15 minutes, but when the duration is e.g. 1 hour and started at 4 PM, I have a tall bar in the span from 4:00PM to 4:15PM and none in the following 3 spans. What I want is to have a bar of 15 minutes in the first span, 15 minutes in the seconds span (4:15PM to 4:30PM), etc.
Is this possible?
Thanks!
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may not be exactly what you're looking for, but if you just want to have an overview;
... | bucket _time span=15m | dedup tr _time | timechart c span=15m by tr |
Assumption is that the tr transaction identifier can be used as such, without any startswith/endswith constraints. So now you'll have a '1' or '0' for each 15-minute block per transaction. So this will NOT measure the real duration of a transaction, it will just show whether parts of a transaction happened during a 15 min block. This can be visualised like below (although it seems a little buggy on my end). No drilldown and mouse-over on the legend is not reliable.
Click on the little charting icon and then 'formatting options'
ensure it's a column chart,
multi-series mode = split,
missing values = omit
Goto Y-axis, and set the min value to 0.99 max value to 1.01
This will be a rather ugly hack showing the presence of a transaction as (set of) block(s). There will be a small whitespace between connected columns, e.g. --- -- - would indicate three transactions, the first is 45 minutes long, then a 15 min break, then a 30-min transaction, then a 30 min break, and finally a 15 min transaction.
There is probably a simpler way of doing this.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already was afraid for that. So I understand that using the transaction command is not the way to go. Can it be done in another way? Using bucket, etc.?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe that the timestamp of the transacation as a whole is set to the timestamp of first event that makes up a transaction. The properties like duration and eventcount, are created once for each transaction. Thus you get a peak at 4PM, and none after that.
Enterprise Security Content Updates (ESCU) - New Releases
Thought Leaders are Validating Your Hard Work and Training Rigor
.conf23 Registration is Now Open!
