timechart span and transaction rollover into hour ...

cmisztur · ‎04-23-2018

below example sums the duration when a machine is not running.

 ... 
    | sort 0 - time 
    | transaction startswith=running="0" endswith=running="1" keeporphans=f keepevicted=f
    | timechart span=1h sum(duration)

first transaction of an hour:

what happens to a transaction that rolls over into the hour?
will it report against 13th hour because the transaction takes the first event's timestamp...

like this one:

thanks
/c

somesoni2 · ‎04-23-2018

The timestamp of the transaction would be considered as the start time of the transaction which is in 13th hour, so your transaction would be counted for 13th hour, even though it ended in 14th. What's your requirement here? Do you want it to be counted for both hours?

cmisztur · ‎04-23-2018

Correct, should split the transaction and fit into the hour it belongs in. So 1m4s into 13th hour, 0m23s into 14th hour.

niketn · ‎04-23-2018

@cmisztur, yes transaction will pick earliest time as the _time. Are you trying to create a transaction without id?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

cmisztur · ‎04-23-2018

correct, no ID.

skoelpin · ‎04-23-2018

I wasn't entirely clear on what OP is asking.. But perhaps using stats rather than transaction will give more flexibility

timechart span and transaction rollover into hour (what happens to the duration of the transaction?)

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...