Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Transaction Maxpause doesn't work
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edookati
Path Finder
03-16-2017
10:54 PM
I am trying to get the transaction results from a lookup file and I have _time field written into it for this to work. The duration condition seems to be working, but the query stops working the moment I add maxpause condition to it. Below is the query I am currently trying to fix.
Please help me here.
| inputlookup LOOKUP.csv
| eval durationLimitInSeconds=durationLimitInMinutes*60
| eval now=now()
| eval temp=(now-(2*60*60)-120)
| where _time>temp
| transaction maxpause=10s code
| where eventcount>2 AND duration>durationLimitInSeconds
| fields _time code duration durationLimitInSeconds eventcount
Below is the sample data, if it helps. I want events with pause more than a few seconds (10s) to be considered as a different transaction, but the query I use treats all of them as single event and if I include maxpause, the query doesn't work at all.
_time duration_measure code loglevel durationLimitInMinutes
2017-03-17 00:25:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:21 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:21 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:11 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:11 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:27 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:27 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:45 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:45 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:19:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:59:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:59:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:59:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:58:57 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:58:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:58:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:12 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-17-2017
10:36 AM
Do not use transaction; we can use streamstats to implement your maxpause requirement to manufacture sessionIDs.
This fakes your data:
| makeresults
| eval raw="2017-03-17 00:25:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:21 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:21 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:11 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:11 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:27 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:27 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:45 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:45 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:19:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:59:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:59:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:59:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:58:57 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:58:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:58:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:12 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10"
| rex field=raw mode=sed "s/[\r\n]+\s*/::/g"
| makemv delim="::" raw
| mvexpand raw
| rex field=raw "\s*(?<time>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+(?<duration_measure>\S+)\s+(?<code>\S+)\s+(?<loglevel>\S+)\s+(?<durationLimitInMinutes>\S+)$"
| eval _time = strptime(time, "%Y-%m-%d %H:%M:%S")
| fields - raw time
This is your solution:
| eval durationLimitInSeconds=durationLimitInMinutes*60
| where _time>relative_time(now(), "-2h-120")
| streamstats current=f last(_time) AS next_time BY code
| eval pause = next_time - _time
| fillnull value="0" pause
| streamstats count(eval(pause>10)) AS sessionID BY code
| fields - next_time pause
| stats min(_time) AS _time values(*) AS * range(_time) AS duration count AS eventcount BY code sessionID
At this time, to see it work requires the removal of this line: | where _time>relative_time(now(), "-2h-120").
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-17-2017
10:36 AM
Do not use transaction; we can use streamstats to implement your maxpause requirement to manufacture sessionIDs.
This fakes your data:
| makeresults
| eval raw="2017-03-17 00:25:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:21 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:21 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:11 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:11 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:25:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:27 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:27 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:24:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:45 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:45 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:23:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:22:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:21:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:46 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:20:00 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-17 00:19:48 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:59:22 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:59:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:59:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:58:57 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:58:55 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:58:41 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:12 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:09 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10
2017-03-16 23:49:06 m EVENTAPI_FAILED_PROPORTION_ERROR ERROR 10"
| rex field=raw mode=sed "s/[\r\n]+\s*/::/g"
| makemv delim="::" raw
| mvexpand raw
| rex field=raw "\s*(?<time>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+(?<duration_measure>\S+)\s+(?<code>\S+)\s+(?<loglevel>\S+)\s+(?<durationLimitInMinutes>\S+)$"
| eval _time = strptime(time, "%Y-%m-%d %H:%M:%S")
| fields - raw time
This is your solution:
| eval durationLimitInSeconds=durationLimitInMinutes*60
| where _time>relative_time(now(), "-2h-120")
| streamstats current=f last(_time) AS next_time BY code
| eval pause = next_time - _time
| fillnull value="0" pause
| streamstats count(eval(pause>10)) AS sessionID BY code
| fields - next_time pause
| stats min(_time) AS _time values(*) AS * range(_time) AS duration count AS eventcount BY code sessionID
At this time, to see it work requires the removal of this line: | where _time>relative_time(now(), "-2h-120").
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edookati
Path Finder
03-21-2017
07:56 PM
Thanks. It works. Can you please explain what eval(pause>10) does here? Does it count the instances of all pauses which are greater than 10 seconds. Also, how do I store the session ID and not repeat it, at least for a couple of days. Sorry, I am not familiar with streamstats.
Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-22-2017
08:20 AM
It keeps a running total when scanning from the newest event backwards towards the last event. If the event being examined has a pause<=10 then the count is not incremented so that event is included with the previous events by sessionID. There is no way to store it that makes any sense at all (more work than just recalculating it).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edookati
Path Finder
03-23-2017
12:43 AM
Thanks a lot.
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
