Using Transaction Command more than once in the qu...

vickyvishwa · ‎11-10-2019

My Query -

index=abcd sourcetype=applog  OR (sourcetype=nginx AND uri=/v1/abcd)
| transaction startswith="status=201" endswith="className=SYSTEM resourceName=/event/v1/util" |  rename duration as stageTime1
| transaction startswith="className=SYSTEM resourceName=/event/v1/util" endswith="className=secondClass (start MyEventProducer)" |  rename duration as stageTime2
| timechart span=1h avg(stageTime1), avg(stageTime2)

The above query gives result if i run single transaction command at a time. But when I run it together (Like How i mentioned above) its giving emptuy result. Is it not possible to calculate duration for separate stages in a single query ?

HiroshiSatoh · ‎11-10-2019

Is n’t it zero?
I think the second transaction doesn't return a value because there is no keyword in _raw.

Is it all right to be grouped like this in the first place? stageTime1 is multi-field.

KEY,stageTime1
A1,10
A2,20
A3,10
B1,10
B2,20
B3,30

KEY,stageTime1,stageTime2
A,10,100
  20
  10
B,10,500
  20
  30

If there is no parent-child relationship between two transactions, how about calculating and merging them separately?

(your search transaction1)|  rename duration as stageTime1
|timechart span=1h avg(stageTime1) as stageTime1
|append [search (your search transaction2)|  rename duration as stageTime2
|timechart span=1h avg(stageTime2) as stageTime2]
|stats latest(*) as * by _time

Using Transaction Command more than once in the query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation