Splunk Search

Transaction duration exceeding the specified maxpause value


We are using a transaction to group web access events the Client IP and another field we extract (essentially filename, which is the entire "*.flv" at the end of the URL below). The transaction command looks like this

index=cdnmanager sourcetype=squid Node_Type="Edge" | fields Provider Client_IP | transaction Provider,Client_IP maxspan=3h maxpause=10s | where duration > 5 

When we run this against some test data, we are getting a transaction whose duration is 10.464 seconds. The actual events are as shown here in output from the transaction command:

[10/Apr/2011:17:58:42.374+0000] 2524302 TCP_HIT/200 736284 GET http://se01-area4-il-chicago.se.cim-cim-prog.cdn2.comcast.net/fanEntertainment/686/61/2011-02-12t063... video/x-flv 
[10/Apr/2011:17:58:53.020+0000] 2536012 TCP_IMS_HIT/206 448342 GET http://se01-area4-il-chicago.se.cim-cim-prog.cdn2.comcast.net/fanEntertainment/686/61/2011-02-12t063... video/x-flv 

If you take the delta between the timestamps you get 10.646, which is exactly what Splunk reports as the 'duration' field. These events meet the Client IP/Filename grouping criteria, but exceed the specified maxpause value - why is Splunk combining these into a transaction? If it's simply not that granular about the time that's fine, we just need to understand how it's dealing with all the settings so we know what results to expect in various configurations.

  • Tom
Tags (1)

Esteemed Legend

The maxpause is the maximum space between any adjacent events in the transaction whereas maxspan is the maximum space between the first and last events of the transaction: