Splunk Search

dynamically assigned maxspan in transactions

boromir
Path Finder

Hi

I am searching for an option to dynamically assign value for MAXSPAN in a transaction. The value should come as a result of a LOOKUP. So far I have no success whatsoever. I have tried the proposed solution here:

https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p...

however this does not work for me, in particular the proposed solution "fixes" the maxspan to the value in the eval expression. which is 7m in this case.

| makeresults | eval maxspan="7m"
| map search="search index=_* | transaction host maxspan=$maxspan$"

in essence i would like to be able to notify myself for related events that happen for a certain period of time, however that time and the number of event per each type is dynamically assigned as per the lookup.

 here is an example of my search line:

sourcetype=servername host=hostname
|lookup flex_test f1 as f1 OUTPUT mx_span AS mx_span , ev_count AS ev_count
|transaction f1 f2 maxspan={dynamic value should come here}
|eval alert = if(eventcount>ev_count,"ev_ALERT","OK")
|......

 

and here is an example of the lookup table (tried different formats)

f1,mx_span,ev_count
34,1,5
35,60,10
36,2m,5

kind regards!

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

This might get you close to what you want.

sourcetype=servername host=hostname
|lookup flex_test f1 as f1 OUTPUT mx_span AS mx_span , ev_count AS ev_count
| sort 0 f1 _time
| autoregress f1 as prevf1
| autoregress f2 as prevf2
| autoregress _time as prev_time
| eval prev_time = if(f1 != prevf1 OR f2 != prevf2, null, prev_time)
| eval timesinceprevious = _time - prev_time
| streamstats sum(timesinceprevious) as runningtime by f1 f2
| eval bucket=floor(runningtime / mx_span)
| fillnull value=0 bucket
| stats count as eventcount by f1 f2 bucket
|eval alert = if(eventcount>ev_count,"ev_ALERT","OK")

Essentially, for each value of f1 f2, it calculates how long since the first event for f1 f2, divides that by the period associated with the value of f1 f2, assigns that to a bucket, then counts the events within the bucket.

The features (rather than issues) with this is that the bucket periods don't reset if there is a long gap between events (which transaction might account for) and that the start of the periods are independent / non-aligned since they are taken from the first event of each f1 f2 value.

View solution in original post

boromir
Path Finder

Hi,

unfortunately no, I tried it.....to no avail. I have also tried with changing the mx_span using eval span=tonumber(mx_span), in case the maxspan does like only integer values, but it didn't work.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You probably need a single value, rather than a list of values from your rows. You could try populating a dropdown dynamically and select one of those options and using the token from the dropdown as your max span

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I think your issue is that transaction works on the whole pipeline with a set of parameters when what you are trying to do (I think) is to get transaction to apply different parameters to subsets of the pipeline all in one go. I am not sure this is possible, and perhaps you need to go back to basics and redefine your problem.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This might get you close to what you want.

sourcetype=servername host=hostname
|lookup flex_test f1 as f1 OUTPUT mx_span AS mx_span , ev_count AS ev_count
| sort 0 f1 _time
| autoregress f1 as prevf1
| autoregress f2 as prevf2
| autoregress _time as prev_time
| eval prev_time = if(f1 != prevf1 OR f2 != prevf2, null, prev_time)
| eval timesinceprevious = _time - prev_time
| streamstats sum(timesinceprevious) as runningtime by f1 f2
| eval bucket=floor(runningtime / mx_span)
| fillnull value=0 bucket
| stats count as eventcount by f1 f2 bucket
|eval alert = if(eventcount>ev_count,"ev_ALERT","OK")

Essentially, for each value of f1 f2, it calculates how long since the first event for f1 f2, divides that by the period associated with the value of f1 f2, assigns that to a bucket, then counts the events within the bucket.

The features (rather than issues) with this is that the bucket periods don't reset if there is a long gap between events (which transaction might account for) and that the start of the periods are independent / non-aligned since they are taken from the first event of each f1 f2 value.

boromir
Path Finder

hi, this thing does work and provide the expected result,

I have to say that i was hping to make it a bit simpler, but hey, if it works, it works.

Thanks!

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does this work?

sourcetype=servername host=hostname
|lookup flex_test f1 as f1 OUTPUT mx_span AS mx_span , ev_count AS ev_count
|transaction f1 f2 maxspan=mx_span
|eval alert = if(eventcount>ev_count,"ev_ALERT","OK")
|......
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...