Splunk Search
Highlighted

Transaction starts with ends with

Engager

Hi does anyone know is there is a way for transaction starts with ends with take the middle result Example, i have transaction DESCRIPTION startswith = VALUE = “RUN” endswith =VALUE=“STOP”

In my data there is RUN,STOP,RUN,RUN,RUN,STOP,RUN,STOP,STOP,RUN,STOP.

Apparently the Transaction command works with RUN,STOP but if there is RUN,RUN,RUN,STOP it will only take the last part of the RUN,STOP.

Does anyone know a way it can get information from RUN,....,....,STOP , and also RUN,STOP,STOP it will get RUN,....,STOP

I hope you all understand what i meant.

0 Karma
Highlighted

Re: Transaction starts with ends with

Builder

@chookp post a couple of sample events to assist.

0 Karma
Highlighted

Re: Transaction starts with ends with

Engager

alt text

hi above is the sample of my event using the transaction to get each of my pump rum and stop duration, my issue is when there is a run run stop event it will take the latest run and first stop.
below show my full list of event i did a MVindex so that you are able to see the full run stop event with the time.
alt text

the first picture show my transaction command which i did the information i circle is where i spot the error where it fail to detect my first "RUN". the second picture shows the full list of the event the part where i put a "?" is the missing infomation and the arrow pointing to it is the wrong RUN.

so i would like to check is there a way to allow the transaction to take in the First "RUN" and first "Stop" that it sees or is there other command which i can compare the next value such that if its a RUN i can change the value of something, i hope this clarify my doubt thanks ..

0 Karma
Highlighted

Re: Transaction starts with ends with

Contributor

What does the transaction command that's producing these results look like?

0 Karma
Highlighted

Re: Transaction starts with ends with

Engager

Transaction ASSET_NAME startswith =VALUE=“RUN” endswith = VALUE=“STOP”

0 Karma
Highlighted

Re: Transaction starts with ends with

Esteemed Legend

Ditch transaction; it is overkill and does not scale well. Try this instead:

... | streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME 
| stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME 

View solution in original post

0 Karma
Highlighted

Re: Transaction starts with ends with

Ultra Champion
... 
| reverse
| streamstats count(eval(VALUE="STOP")) AS TransactionID BY ASSET_NAME 
| stats range(_time) AS duration list(VALUE) AS VALUES min(_time) AS _time BY TransactionID ASSET_NAME 

transaction can use eval , you can make condition other startswith and endswith
but I recommend @woodcock solution.

This query streamstats is group by ASSETNAME till _VALUE="STOP"
Isn't this same as transaction?

If you need duration and linecount , try range() and count with stats.

why do I add reverse? The new event is on the top by default.
streamstats works from top. need reverse OR sort 0 _time

0 Karma
Highlighted

Re: Transaction starts with ends with

Engager

Hi thanks for the help, i had tried the command it works well enough...but the problem is my field VALUE inside have “run,stop,normal,low,inconsistencies...etc” alot of different value, what i need is only from the first run to the first stop. Using your command they are adding the duration which I don’t need example the normal,low ,etc VALUE. Is there a way to just get RUN to STOP?

0 Karma
Highlighted

Re: Transaction starts with ends with

Ultra Champion

In my data there is RUN,STOP,RUN,RUN,RUN,STOP,RUN,STOP,STOP,RUN,STOP.
only first RUN and STOP?

0 Karma
Highlighted

Re: Transaction starts with ends with

Esteemed Legend

Sure, just add this to the foundational search and keep the rest the same:

... AND (VALUE="RUN" OR VALUE="STOP") ...