Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timing inner transactions

RVDowning
Contributor
‎06-09-2014 12:49 PM

I Have transactions within transactions, namely something like the following:

PlanId, [OPEN PLAN START] Action="AAA"
.
PlanId, [OPEN PLAN End] Action="AAA"
PlanId, [BBB START] Action="BBB"
.
.
PlanId, [BBB End]Action="BBB"
PlanId, [MMM START] Action="MMM"
.
.
PlanId, [MMM End]Action="MMM"

this would be followed by another transaction with a new PlanId, etc.

I can do the following:
source="blahblah" | transaction PlanId startswith="[OPEN PLAN START]"
| table PlanId, Action, duration
which gives me a table of the PlanIds, Actions, and durations of the outer transaction.

The question is, how can I get the durations of the individual actions within each PlanID, namely the duration of AAA, BBB, MMM, etc.

Also, it would be of interest to get the average durations of all AAA, BBB, MMM etc across all PlanIds.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎06-09-2014 01:03 PM

Try something like this

source="blahblah" | transaction PlanId,Action startswith="START]" endswith="END]" | table PlanId, Action, duration
0 Karma
Reply

somesoni2
Revered Legend
‎06-10-2014 12:03 PM

What issue do you see in the output of the answer I gave? Since, we don't know the actual events, it would help if you can describe how far it is from the expected.

0 Karma
Reply

RVDowning
Contributor
‎06-10-2014 11:32 AM

I wasn't sufficiently clear in my problem description.

Guess what I'm looking for is output something like:
PlanID1 AAA duration
BBB duration
.
EEE duration
PlanId2 AAA duration
BBB duration
.
EEE duration
.
.

etc.

(of course the AAA, BBB, etc are not in alphabetical order.

So, a given PlanId may be opened more than once and will have its own set of internal transactions. Each will start with [OPEN PLAN START] and continue as long as the PlanId stays the same and another [OPEN PLAN START] is not encountered.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...