Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transaction by source, sourcetype, day

sanjay_shrestha
Contributor
‎12-12-2013 07:45 AM

Following query has been used to calculate duration for individual source (input files) for last 5 days:

index="my_index" earliest=-5d  latest=now| transaction source maxevents=-1 | eval day=strftime(_time,"%m/%d/%Y")| sort - day sourcetype| table day,sourcetype,source,duration

Only transaction by source is used, hoping it would capture all the input files which have unique file name, thus separating its sourcetype and date.

Basically, just need to display duration per individual source file per sourcetype per day.

Thanks,

Sanjay

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-12-2013 08:57 AM

There is a much more efficient way to do this:

index="my_index" earliest=-5d  latest=now
| eval day=strftime(_time,"%m/%d/%Y")
| stats range(_time) as duration by day sourcetype source
| eval duration=tostring(duration,"duration")

This is faster and more scalable.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-12-2013 08:57 AM

There is a much more efficient way to do this:

index="my_index" earliest=-5d  latest=now
| eval day=strftime(_time,"%m/%d/%Y")
| stats range(_time) as duration by day sourcetype source
| eval duration=tostring(duration,"duration")

This is faster and more scalable.

Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎12-12-2013 09:23 AM

Thanks. It worked better that using transaction.

0 Karma
Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎12-12-2013 08:54 AM

It worked by adding keepevicted=true to transaction command.

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎12-12-2013 08:25 AM

Now the above simply answers your question. I'm sure that there is a more efficient way of going about doing what you need, but I currently don't have time to work on it 😛

Hope the above helps.

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎12-12-2013 08:23 AM

Because you have no limit to the number of events in your transaction, and because you have no start and end points for your transactions, and furthermore you have nothing limiting the transactions other than "source", then you are going to get 1 event (transaction) per source value you have.

You should calculate the day first, then use the day together with the source in your transaction. Like so:
index="my_index" earliest=-5d latest=now | eval day=strftime(_time,"%m/%d/%Y") | transaction source day maxevents=-1 | sort - day sourcetype| table day,sourcetype,source,duration

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...