Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transaction and Duration

ctripod
Explorer
‎11-27-2013 08:21 AM

Hi all!

Does transaction calculate duration per "transaction" or from the first event in the transaction to the last event in the last transaction (active - #1 to Inactive - #2)? I need to average the sum of all durations of EACH transaction.

sourcetype=app | transaction userA startswith=eval(active) endswith=(inactive) | stats avg(duration) | eval duration = tostring(duration,"duration")

userA
active - #1
inactive - #1
(duration #1)

(Time of Inactivity is disregarded)

userA
active - #2
Inactive - #2
(duration #2)

Sum = Duration #1 + Duration #2 = what I need

I couldn't find this in the docs. As a sub question how can I remove HH and SSS from the "tostring(duration, "duration") output? I don't need either field. Thanks everyone!

0 Karma
Reply

lguinn2
Legend
‎11-27-2013 11:28 AM

If a transaction represents a "session", then the following will give you the average across all sessions. Each session has its own duration, as you described it above. The average function will do what you want,

sourcetype=app 
| transaction username startswith=eval(active) endswith=eval(inactive) 
| stats avg(duration) as avgDuration
| eval avgDuration = tostring(avgDuration,"duration")

avgDuration is expressed in seconds. If you don't want the hours and seconds, you could do this to get only the minutes:

| eval avgDuration = round(avgDuration/60,0)

One way to verify this for yourself is to look at the intermediate results. For example:

sourcetype=app 
| transaction username startswith=eval(active) endswith=eval(inactive) 
| table username duration

will show you the intermediate data that is passed to the stats command.

Reply

ctripod
Explorer
‎12-13-2013 11:27 AM

Thank you! This was very helpful. I confirmed that the duration is for each transaction within the given time period by tabling the duration of my query, then doing the avg(duration) after confirming the question I had. Here is the query I came up with which has a very nice format for simple human consumption.

eventtype=mobile action="App_Active" OR action="App_Inactive" | transaction user_email startswith=eval(action="App_Active") endswith=eval(action="App_Inactive") | stats avg(duration) as seconds | sec2time(seconds,time_spent) | fields time_spent | eval shortened = substr(time_spent,10,16) | table shortened

I used a cool macro that someone out there created called "sec2time" then used substring to remove day and hour (since duration will always be at the most in minutes)

Result in panel: 4m 13s

Thank you again for the help!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...