Splunk Search

Spreading transaction duration over spans

davidjehoul
Explorer

Hi,
I have some data containing transactions that might take short (a couple of seconds) or very long (hours). I want to have a timechart that shows the duration of the transactions in spans of 15 minutes. I have the following:

source="<source>" | transaction tr startswith="start" endswith="end" | timechart sum(duration) span=15m by tr

This works nicely when the transaction is not longer than 15 minutes, but when the duration is e.g. 1 hour and started at 4 PM, I have a tall bar in the span from 4:00PM to 4:15PM and none in the following 3 spans. What I want is to have a bar of 15 minutes in the first span, 15 minutes in the seconds span (4:15PM to 4:30PM), etc.
Is this possible?

Thanks!
David

Tags (2)
0 Karma

kristian_kolb
Ultra Champion

This may not be exactly what you're looking for, but if you just want to have an overview;

... | bucket _time span=15m | dedup tr _time | timechart c span=15m by tr |

Assumption is that the tr transaction identifier can be used as such, without any startswith/endswith constraints. So now you'll have a '1' or '0' for each 15-minute block per transaction. So this will NOT measure the real duration of a transaction, it will just show whether parts of a transaction happened during a 15 min block. This can be visualised like below (although it seems a little buggy on my end). No drilldown and mouse-over on the legend is not reliable.

Click on the little charting icon and then 'formatting options'
ensure it's a column chart,
multi-series mode = split,
missing values = omit
Goto Y-axis, and set the min value to 0.99 max value to 1.01

This will be a rather ugly hack showing the presence of a transaction as (set of) block(s). There will be a small whitespace between connected columns, e.g. --- -- - would indicate three transactions, the first is 45 minutes long, then a 15 min break, then a 30-min transaction, then a 30 min break, and finally a 15 min transaction.

There is probably a simpler way of doing this.

/k

0 Karma

davidjehoul
Explorer

I already was afraid for that. So I understand that using the transaction command is not the way to go. Can it be done in another way? Using bucket, etc.?

0 Karma

kristian_kolb
Ultra Champion

I believe that the timestamp of the transacation as a whole is set to the timestamp of first event that makes up a transaction. The properties like duration and eventcount, are created once for each transaction. Thus you get a peak at 4PM, and none after that.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...