Splunk Search

Status of a transaction using splunk transaction command

ayush-choudhary
Explorer

i am using transaction command to check the start time and end time of a transaction. 

I have used:

| transaction TxnId startswith="NEW TXN" endswith= "statusY" keeporphans=true | eval starttime=_time | eval endtime=_time+duration | eval starttime=strftime('starttime', "%Y-%m-%d %H:%M:%S.%3N") | eval endtime=strftime('endtime', "%Y-%m-%d %H:%M:%S.%3N") | table TxnId starttime endtime

I want to check if all transactions have start time and end time for the success rate. Now even if the endswith="statusY" is not there, it is calculating its end time. 

What can i do to make sure there should be no end time if the condition endswith="statusY" is not there. And if the condition of both startswith and endswith is met table should show status as success or else blank.

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ayush-choudhary,

the transaction command is a very slow and expensive command, please try a different approach:

your_search ("NEW TXN" OR "statusY")
| stats earliest(_time) AS starttime latest(_time) AS endtime BY TxnId 
| eval starttime=strftime('starttime', "%Y-%m-%d %H:%M:%S.%3N"), endtime=strftime('endtime', "%Y-%m-%d %H:%M:%S.%3N") 
| table TxnId starttime endtime

This approach is possible when you have an ID to use to group events.

Ciao.

Giuseppe

0 Karma

ayush-choudhary
Explorer

@gcusello 

thanks, but with this query as well i am getting an endtime for a TxnId for with there is no "statusY"
i am finding something with can show me no value for endtime for a TxnId that do not have "statusY".

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi, ok, please try this:

your_search ("NEW TXN" OR "statusY")
| stats earliest(_time) AS starttime latest(_time) AS endtime count BY TxnId 
| eval 
     status=case(count=2,"Both present",searchmatch("NEW TXN"),"Only NEW TXN",searchmatch("statusY"),"Only statusY"), 
     starttime=strftime('starttime', "%Y-%m-%d %H:%M:%S.%3N"), 
     endtime=strftime('endtime', "%Y-%m-%d %H:%M:%S.%3N") 
| table TxnId starttime endtime status

in this way you can identify all the conditions and take only the ones you want.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...