Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transaction command - Way to change from timestamp to a different field?

Maycockk
Explorer
‎12-02-2020 02:09 AM

Good morning all,

I'm leveraging the transaction command in order to gather statistics around the duration of my requests in order to report on them. By default the transaction command leverages the _time field (timestamp) to calculate the duration for the transaction. However, the issue I'm facing is the timestamp appear to have intermittent jumps in it that's skewing my numbers. I'd assume it's just forwarded config perhaps.

I do have a second, more accurate, timestamps available to me that I'd like to leverage "ServerTime" which has been added to our events. I'm just trying to understand if I can override the transaction command to use the ServerTime field I have rather than the timestamp?

See attached screenshots demonstrating the issue. Thx in advance everyone  🙂

 

Labels (1)
Labels
Preview file
139 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎12-02-2020 04:19 AM

You can rewrite "_time" to be a valid timestamp from your event data, and then the transaction command will use that value instead.

 

For example, if you have a field called ServerTime in the format "12/02/2020 09:32:24 AM":

 

 

index=main source=http:xxxx ServiceName=xxxx OR ServiceName=xxxx CorrelationID=xxxx |rex xxxxxxxx|eval _time=strptime(ServerTime,"%m/%d/%Y %I:%M:%S %p") |transaction RawCorrelationID |stats count by duration

 

 

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎12-02-2020 04:19 AM

You can rewrite "_time" to be a valid timestamp from your event data, and then the transaction command will use that value instead.

 

For example, if you have a field called ServerTime in the format "12/02/2020 09:32:24 AM":

 

 

index=main source=http:xxxx ServiceName=xxxx OR ServiceName=xxxx CorrelationID=xxxx |rex xxxxxxxx|eval _time=strptime(ServerTime,"%m/%d/%Y %I:%M:%S %p") |transaction RawCorrelationID |stats count by duration

 

 

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

Maycockk
Explorer
‎12-02-2020 04:45 AM

Perfect, worked a charm! Thank you kindly

0 Karma
Reply
Solved! Jump to solution

Maycockk
Explorer
‎12-02-2020 02:10 AM

Here is a screenshot showing difference in _time timestamp however around same time as per ServerTime field we have available.

Preview file
152 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...