Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transaction with multiple startswith conditions

dbcase
Motivator
‎11-20-2017 10:01 AM

Hi,

I'm looking to get a duration for a transaction that has multiple startswith conditions they are

BUFFERING
CONNECTED
CONNECTING
PREPARED
RECONNECTING
STREAMING

There is only 1 endswith condition

STOPPED

The data looks like this

{ [-]
Properties: { [-]
args: [ [-]
BUFFERING

]

category: Event

index: 2

}

analyticType: DynamicChoice

buildTarget: fred

clientSessionId: DXDYVVP-ACERSJC

Any thoughts?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎11-20-2017 10:14 AM

Here's an approach, assuming those values are stored in a field called condition_field:

your search 
| eval transaction_start=if(in(condition_field, "BUFFERING", "CONNECTED", "CONNECTING", "PREPARED", "RECONNECTING", "STREAMING"), _time, NULL), transaction_end=if(like(condition_field, "STOPPED"), _time, NULL) 
| stats earliest(transaction_start) AS start_time latest(transaction_end) AS end_time BY clientSessionId 
| eval duration=tostring((end_time-start_time), "duration")

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎11-20-2017 10:14 AM

Here's an approach, assuming those values are stored in a field called condition_field:

your search 
| eval transaction_start=if(in(condition_field, "BUFFERING", "CONNECTED", "CONNECTING", "PREPARED", "RECONNECTING", "STREAMING"), _time, NULL), transaction_end=if(like(condition_field, "STOPPED"), _time, NULL) 
| stats earliest(transaction_start) AS start_time latest(transaction_end) AS end_time BY clientSessionId 
| eval duration=tostring((end_time-start_time), "duration")
Reply
Solved! Jump to solution

dbcase
Motivator
‎11-20-2017 11:03 AM

Hi Elliotproebstel,

I could never seem to get this to work. Kept complaining about missing quotes (found that) and a missing ending ")" that I could never seem to find

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎11-20-2017 11:37 AM

Sorry for the missing quotation mark. Fixing that now in the OP. But as for the missing ) <- any chance that's somewhere in the data? Here's some run-anywhere code that creates two events and finds the duration of time between them, as an example:

| makeresults 
| eval condition_field="BUFFERING", clientSessionId=1234 
| append 
[| makeresults 
| eval condition_field="STOPPED", _time=_time+100, clientSessionId=1234]
| eval transaction_start=if(in(condition_field, "BUFFERING", "CONNECTED", "CONNECTING", "PREPARED", "RECONNECTING", "STREAMING"), _time, NULL), transaction_end=if(like(condition_field, "STOPPED"), _time, NULL) 
| stats earliest(transaction_start) AS start_time latest(transaction_end) AS end_time BY clientSessionId  
| eval duration=tostring((end_time-start_time), "duration")
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...