Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Transaction by source, sourcetype, day

sanjay_shrestha
Contributor
‎12-12-2013 07:45 AM

Following query has been used to calculate duration for individual source (input files) for last 5 days:

index="my_index" earliest=-5d  latest=now| transaction source maxevents=-1 | eval day=strftime(_time,"%m/%d/%Y")| sort - day sourcetype| table day,sourcetype,source,duration

Only transaction by source is used, hoping it would capture all the input files which have unique file name, thus separating its sourcetype and date.

Basically, just need to display duration per individual source file per sourcetype per day.

Thanks,

Sanjay

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-12-2013 08:57 AM

There is a much more efficient way to do this:

index="my_index" earliest=-5d  latest=now
| eval day=strftime(_time,"%m/%d/%Y")
| stats range(_time) as duration by day sourcetype source
| eval duration=tostring(duration,"duration")

This is faster and more scalable.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-12-2013 08:57 AM

There is a much more efficient way to do this:

index="my_index" earliest=-5d  latest=now
| eval day=strftime(_time,"%m/%d/%Y")
| stats range(_time) as duration by day sourcetype source
| eval duration=tostring(duration,"duration")

This is faster and more scalable.

Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎12-12-2013 09:23 AM

Thanks. It worked better that using transaction.

0 Karma
Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎12-12-2013 08:54 AM

It worked by adding keepevicted=true to transaction command.

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎12-12-2013 08:25 AM

Now the above simply answers your question. I'm sure that there is a more efficient way of going about doing what you need, but I currently don't have time to work on it 😛

Hope the above helps.

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎12-12-2013 08:23 AM

Because you have no limit to the number of events in your transaction, and because you have no start and end points for your transactions, and furthermore you have nothing limiting the transactions other than "source", then you are going to get 1 event (transaction) per source value you have.

You should calculate the day first, then use the day together with the source in your transaction. Like so:
index="my_index" earliest=-5d latest=now | eval day=strftime(_time,"%m/%d/%Y") | transaction source day maxevents=-1 | sort - day sourcetype| table day,sourcetype,source,duration

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...