Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Transaction Command more than once in the query

vickyvishwa
Explorer
‎11-10-2019 09:58 AM

My Query - 

index=abcd sourcetype=applog  OR (sourcetype=nginx AND uri=/v1/abcd)
| transaction startswith="status=201" endswith="className=SYSTEM resourceName=/event/v1/util" |  rename duration as stageTime1
| transaction startswith="className=SYSTEM resourceName=/event/v1/util" endswith="className=secondClass (start MyEventProducer)" |  rename duration as stageTime2
| timechart span=1h avg(stageTime1), avg(stageTime2)

The above query gives result if i run single transaction command at a time. But when I run it together (Like How i mentioned above) its giving emptuy result. Is it not possible to calculate duration for separate stages in a single query ?

0 Karma
Reply

HiroshiSatoh
Champion
‎11-10-2019 11:04 PM

Is n’t it zero?
I think the second transaction doesn't return a value because there is no keyword in _raw.

Is it all right to be grouped like this in the first place? stageTime1 is multi-field.

KEY,stageTime1
A1,10
A2,20
A3,10
B1,10
B2,20
B3,30

KEY,stageTime1,stageTime2
A,10,100
  20
  10
B,10,500
  20
  30

If there is no parent-child relationship between two transactions, how about calculating and merging them separately?

(your search transaction1)|  rename duration as stageTime1
|timechart span=1h avg(stageTime1) as stageTime1
|append [search (your search transaction2)|  rename duration as stageTime2
|timechart span=1h avg(stageTime2) as stageTime2]
|stats latest(*) as * by _time
0 Karma
Reply
Get Updates on the Splunk Community!