Splunk Search

Transaction starts with ends with

chookp
Explorer

Hi does anyone know is there is a way for transaction starts with ends with take the middle result Example, i have transaction DESCRIPTION startswith = VALUE = “RUN” endswith =VALUE=“STOP”

In my data there is RUN,STOP,RUN,RUN,RUN,STOP,RUN,STOP,STOP,RUN,STOP.

Apparently the Transaction command works with RUN,STOP but if there is RUN,RUN,RUN,STOP it will only take the last part of the RUN,STOP.

Does anyone know a way it can get information from RUN,....,....,STOP , and also RUN,STOP,STOP it will get RUN,....,STOP

I hope you all understand what i meant.

1 Solution

woodcock
Esteemed Legend

Ditch transaction; it is overkill and does not scale well. Try this instead:

... | streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME 
| stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME 

View solution in original post

chookp
Explorer

Transaction ASSET_NAME startswith =VALUE=“RUN” endswith = VALUE=“STOP”

0 Karma

woodcock
Esteemed Legend

Ditch transaction; it is overkill and does not scale well. Try this instead:

... | streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME 
| stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME 

to4kawa
Ultra Champion
... 
| reverse
| streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME 
| stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME 

transaction can use eval , you can make condition other startswith and endswith
but I recommend @woodcock solution.

This query streamstats is group by ASSET_NAME till VALUE="STOP"
Isn't this same as transaction?

If you need duration and linecount , try range() and count with stats.

why do I add reverse? The new event is on the top by default.
streamstats works from top. need reverse OR sort 0 _time

0 Karma

chookp
Explorer

Hi thanks for the help, i had tried the command it works well enough...but the problem is my field VALUE inside have “run,stop,normal,low,inconsistencies...etc” alot of different value, what i need is only from the first run to the first stop. Using your command they are adding the duration which I don’t need example the normal,low ,etc VALUE. Is there a way to just get RUN to STOP?

0 Karma

woodcock
Esteemed Legend

Sure, just add this to the foundational search and keep the rest the same:

... AND (VALUE="RUN" OR VALUE="STOP") ...

chookp
Explorer

thanks everything works nicely now 🙂

0 Karma

to4kawa
Ultra Champion

In my data there is RUN,STOP,RUN,RUN,RUN,STOP,RUN,STOP,STOP,RUN,STOP.
only first RUN and STOP?

0 Karma

chookp
Explorer

alt text

hi above is the sample of my event using the transaction to get each of my pump rum and stop duration, my issue is when there is a run run stop event it will take the latest run and first stop.
below show my full list of event i did a MVindex so that you are able to see the full run stop event with the time.
alt text

the first picture show my transaction command which i did the information i circle is where i spot the error where it fail to detect my first "RUN". the second picture shows the full list of the event the part where i put a "?" is the missing infomation and the arrow pointing to it is the wrong RUN.

so i would like to check is there a way to allow the transaction to take in the First "RUN" and first "Stop" that it sees or is there other command which i can compare the next value such that if its a RUN i can change the value of something, i hope this clarify my doubt thanks ..

0 Karma

chookp
Explorer

Transaction ASSET_NAME startswith =VALUE=“RUN” endswith = VALUE=“STOP”

0 Karma

rmmiller
Contributor

What does the transaction command that's producing these results look like?

0 Karma

anmolpatel
Builder

@chookp post a couple of sample events to assist.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...