how to track if a transaction is taking more time ...

kranthimutyala · ‎03-22-2021

Hi Splunkers,

we have a transaction which runs for every 4hours and usually take 5mins to complete.Im trying to set up an alert to trigger condition if the the transaction run time crosses more than 5mins.We don't have the privilege to setup real time alerts.So I tried with comparing the transaction start time with systime but not getting desired results and receiving false positives.And I need some setup like whenever the alert is completed within expected time(i.e 5mins) alert should no longer be triggered. Please help in this scenario.Thanks

hoaxm3 · ‎03-23-2021

If you have access to the rest query searches, you can run against the alert title and the runduration. Or look at the _audit index (Provides the same information)

- https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rest
- https://community.splunk.com/t5/Splunk-Search/How-to-create-a-scheduled-job-time-to-find-the-run-tim...

| rest /services/search/jobs 
| search title="Alert Name" 
| eval alert = if(runDuration>=300, "TRIGGER", "Normal") 
| search alert=TRIGGER

how to track if a transaction is taking more time with non real time alert

chart

eval

regex

rex

search job inspector

stats

subsearch

table

timechart

transaction

tstats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!