Using Transaction Command more than once in the qu...

vickyvishwa · ‎11-10-2019

My Query -

index=abcd sourcetype=applog  OR (sourcetype=nginx AND uri=/v1/abcd)
| transaction startswith="status=201" endswith="className=SYSTEM resourceName=/event/v1/util" |  rename duration as stageTime1
| transaction startswith="className=SYSTEM resourceName=/event/v1/util" endswith="className=secondClass (start MyEventProducer)" |  rename duration as stageTime2
| timechart span=1h avg(stageTime1), avg(stageTime2)

The above query gives result if i run single transaction command at a time. But when I run it together (Like How i mentioned above) its giving emptuy result. Is it not possible to calculate duration for separate stages in a single query ?

HiroshiSatoh · ‎11-10-2019

Is n’t it zero?
I think the second transaction doesn't return a value because there is no keyword in _raw.

Is it all right to be grouped like this in the first place? stageTime1 is multi-field.

KEY,stageTime1
A1,10
A2,20
A3,10
B1,10
B2,20
B3,30

KEY,stageTime1,stageTime2
A,10,100
  20
  10
B,10,500
  20
  30

If there is no parent-child relationship between two transactions, how about calculating and merging them separately?

(your search transaction1)|  rename duration as stageTime1
|timechart span=1h avg(stageTime1) as stageTime1
|append [search (your search transaction2)|  rename duration as stageTime2
|timechart span=1h avg(stageTime2) as stageTime2]
|stats latest(*) as * by _time

Using Transaction Command more than once in the query

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?