Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Transaction with multiple startswith conditions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm looking to get a duration for a transaction that has multiple startswith conditions they are
BUFFERING
CONNECTED
CONNECTING
PREPARED
RECONNECTING
STREAMING
There is only 1 endswith condition
STOPPED
The data looks like this
{ [-]
Properties: { [-]
args: [ [-]
BUFFERING
]
category: Event
index: 2
}
analyticType: DynamicChoice
buildTarget: fred
clientSessionId: DXDYVVP-ACERSJC
Any thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's an approach, assuming those values are stored in a field called condition_field:
your search
| eval transaction_start=if(in(condition_field, "BUFFERING", "CONNECTED", "CONNECTING", "PREPARED", "RECONNECTING", "STREAMING"), _time, NULL), transaction_end=if(like(condition_field, "STOPPED"), _time, NULL)
| stats earliest(transaction_start) AS start_time latest(transaction_end) AS end_time BY clientSessionId
| eval duration=tostring((end_time-start_time), "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's an approach, assuming those values are stored in a field called condition_field:
your search
| eval transaction_start=if(in(condition_field, "BUFFERING", "CONNECTED", "CONNECTING", "PREPARED", "RECONNECTING", "STREAMING"), _time, NULL), transaction_end=if(like(condition_field, "STOPPED"), _time, NULL)
| stats earliest(transaction_start) AS start_time latest(transaction_end) AS end_time BY clientSessionId
| eval duration=tostring((end_time-start_time), "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Elliotproebstel,
I could never seem to get this to work. Kept complaining about missing quotes (found that) and a missing ending ")" that I could never seem to find
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the missing quotation mark. Fixing that now in the OP. But as for the missing ) <- any chance that's somewhere in the data? Here's some run-anywhere code that creates two events and finds the duration of time between them, as an example:
| makeresults
| eval condition_field="BUFFERING", clientSessionId=1234
| append
[| makeresults
| eval condition_field="STOPPED", _time=_time+100, clientSessionId=1234]
| eval transaction_start=if(in(condition_field, "BUFFERING", "CONNECTED", "CONNECTING", "PREPARED", "RECONNECTING", "STREAMING"), _time, NULL), transaction_end=if(like(condition_field, "STOPPED"), _time, NULL)
| stats earliest(transaction_start) AS start_time latest(transaction_end) AS end_time BY clientSessionId
| eval duration=tostring((end_time-start_time), "duration")
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
