Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transaction shows incomplete statistics

sunnyb147
Path Finder
‎06-25-2019 05:21 AM

Hi All,
I am trying to group the events using transaction command but looks like some of the data is not visible in the statistics.

  1. Are there any limit kind of a thing which we can set?
  2. If I run below search for lets say a day or two it works fine, but if I run this search for 7 days it shows the result just for 5 days.

Sample search: 

(index=test1 logpoint="request-in") OR (index=test1 logpoint="response-in")
| transaction transaction-id startswith="request-in" endswith="response-in" maxevents=2 keeporphans=true 
| eval epoch_time=strptime('timestamp-in',"%Y-%m-%dT%H:%M:%S.%N")
| eventstats range(epoch_time) as response_time by transaction-id
| timechart span=1d avg(response_time) as average_duration

alt text

Any help would be highly appreciated.

Thanks,
Sunny

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-27-2019 01:18 AM

Hi @sunnyb147,

Using transactions is resource intensive you can replace it with this which runs only on stats as it will run way faster:

 index=test1 logpoint="request-in" OR logpoint="response-in"
 | stats first(_time) as start last(_time) as end first(timestamp-in) as timestamp-in by transaction-id 
 | eval _time=strptime('timestamp-in',"%Y-%m-%dT%H:%M:%S.%N")
 | eval duration=tostring(end-start,"duration")
 | timechart span=1d avg(duration) as average_duration

Cheers,
David

View solution in original post

Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-27-2019 01:18 AM

Hi @sunnyb147,

Using transactions is resource intensive you can replace it with this which runs only on stats as it will run way faster:

 index=test1 logpoint="request-in" OR logpoint="response-in"
 | stats first(_time) as start last(_time) as end first(timestamp-in) as timestamp-in by transaction-id 
 | eval _time=strptime('timestamp-in',"%Y-%m-%dT%H:%M:%S.%N")
 | eval duration=tostring(end-start,"duration")
 | timechart span=1d avg(duration) as average_duration

Cheers,
David

Reply
Solved! Jump to solution

sunnyb147
Path Finder
‎06-27-2019 02:30 AM

Thanks David for the feedback 🙂 Today morning I realized the same thing and it worked like a charm.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-27-2019 02:32 AM

awesome ! good work 😉

0 Karma
Reply
Solved! Jump to solution

amitm05
Builder
‎06-26-2019 03:03 AM

Ques -
Have you made sure you have relevant data events available on the dates of 18, 19, 20 ?
Is this the same behavior if you run your search over a different set of 7 days ?

0 Karma
Reply
Solved! Jump to solution

sunnyb147
Path Finder
‎06-27-2019 12:49 AM

I think I found the solution, instead of eventstats I used stats and it worked 🙂

Another small question: I cannot mark this question as closed.. could you please guide me on this.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-27-2019 01:12 AM

to close the question, simply answer it if you have the answer and accept your answer 🙂

0 Karma
Reply
Solved! Jump to solution

sunnyb147
Path Finder
‎06-27-2019 02:33 AM

Thank you 🙂 Done !

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...