Splunk Search

Transaction starting and ending 'event' are not always showing the correct overview

Sentira
Explorer

Hi,

I am trying to create a Transaction where my starting and ending 'event' are not always showing the correct overview.  I expect the yellow marked group events as result:

Data.jpg

 

 

index=app sourcetype=prd_wcs host=EULMFCP1WVND121 "EquipmentStatusRequest\"=" D0022
| eval _raw = replace(_raw, "\\\\", "")
| eval _raw = replace(_raw, "\"", "")
| rex "Chute:DTT_S01.DA01.(?<Door>[^\,]+)"
| rex "EquipmentName:DTT_S01.DA01.(?<EquipmentName>[^\,]+)"
| rex "EquipmentType:(?<EquipmentType>[^\,]+)"
| rex "Status:(?<EquipmentStatus>[^\,]+)"
| rex "TypeOfMessage:(?<TypeOfMessage>[^\}]+)"
| eval Code = EquipmentStatus+"-"+TypeOfMessage+"-"+EquipmentType
| lookup Cortez_SS_Reasons.csv CODE as Code output STATE as ReasonCode
| where ReasonCode = "Ready" OR ReasonCode = "Full"
| transaction EquipmentName startswith=(ReasonCode="Full") endswith=(ReasonCode="Ready")  
| eval latestTS = _time + duration
| eval counter=1
| accum counter as Row
| table _time latestTS Row  ReasonCode
| eval latestTS=strftime(latestTS,"%Y-%m-%d %H:%M:%S.%3N")

 


The script above is showing the following overview as result and the marked line is not correct. I don't know how this is happened. Because, I expect that Transaction function will always take first events starting with "Ready" and ending with "Full".. 

Invalid Result.jpg

Thanks in advance.

 

Labels (1)
Tags (1)
0 Karma

Sentira
Explorer

Thanks, this script gives only 3 rows. But, I want to have an overview like (TS: Timestamp of the event):

Sentira_0-1728302886074.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| streamstats count by ReasonCode EquipmentName reset_on_change=t global=f
| where count=1
0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. So you want to have a "transaction" consisting of any sequence of Full events ending with a single Ready event. Any Ready events not preceeded by a Full event are not a part of any transaction and should be discarded?

| streamstats current=f window=1 values(ReasonCode) as LastReasonCode
| where ReasonCode="Full" OR LastReasonCode="Full" OR isnull(LastReasonCode)

This should filter out the events which are Ready and are preceeded by Ready.

Now we can mark beginnings of each of those "streaks"

| eval bump=if(ReasonCode="Full" AND LastReasonCode="Ready",1,0)

And we can find which transaction is which

| streamstats current=t sum(bump) as tran_id

Now you have your unique transaction ID which you can use to find first and last timestamp

| stats min(_time) as earliest max(_time) as latest by tran_is
| eval duration=latest-earliest
0 Karma

Sentira
Explorer


Unfortunately your script does not provide the correct overview.

Sentira_0-1728312168528.png

 


I want to know how long a machine has had a "Full" status. I can calculate that by taking the first "full" status and the "first" Ready status together and the difference is the duration.

for example:

Full -->This one
Full --> Skip
Ready -->This one
Full-->This one
Ready-->This one
Full-->This one
Full -->Skip
Ready -->This one
Ready --> skip

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Your input data is definitely _not_ in the same order as shown in the opening post.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Transaction seems to have a mind of its own (there are some not well documented nuances to how it works). Try something like this before your transaction command (to give it a hand!)

| streamstats count(eval(ReasonCode="Full")) as fullCount count(eval(ReasonCode="Ready")) as readyCount by EquipmentName
| where fullCount=1 OR readyCount=1

 

0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...