Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

calculate time statistics over an hour, but only find releated events that occur within one minute

systemsatpayzon
Path Finder
‎06-20-2013 05:34 AM

I am trying to calculate statistics for when a transaction enters our application, and when the reply is sent from the application. I would like to calculate statistics over an hour and there are two key values that i use to find the events to caculate on (research and Locsite). Here is the query:

      sourcetype="Filter" transactionType=A44 | stats min(_time) AS earliest max(_time) AS latest by research,Locsite | eval duration=latest-earliest

this query returns the duration of the transaction. this query is good enough most of the time but sometimes events with the same "research" and "Locsite" is returned more than two times within the time range of an hour, then the duration value will be calculated over too long time. So i would like my query to only look for events with the same "Locsite" and "research" within one minute, but calculate statistics over the whole timerange

Tags (3)
0 Karma
Reply

systemsatpayzon
Path Finder
‎06-20-2013 12:27 PM

I solved it myself!

sourcetype="Filter" a44 | transaction research maxevents=2 |stats min(duration) max(duration) avg(duration) median(duration) perc95(duration)
0 Karma
Reply

aholzer
Motivator
‎06-20-2013 06:34 AM

Sound like a good use case for the "transaction" command. Here's some documentation to get you started:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Searchfortransactions
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Transaction

Make sure to take careful note of maxspan and maxpause options.

Hope this helps!

Reply

systemsatpayzon
Path Finder
‎06-20-2013 06:06 AM

A better alternative would be to find consecutive occurences of the same value for the keys "research" and "Locsite" (request and response)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...