Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart span and transaction rollover into hour (what happens to the duration of the transaction?)

cmisztur
Explorer
‎04-23-2018 07:04 AM

below example sums the duration when a machine is not running.

 ... 
    | sort 0 - time 
    | transaction startswith=running="0" endswith=running="1" keeporphans=f keepevicted=f
    | timechart span=1h sum(duration)

first transaction of an hour:

alt text

what happens to a transaction that rolls over into the hour?
will it report against 13th hour because the transaction takes the first event's timestamp...

like this one:

alt text

thanks
/c

Preview file
42 KB
Preview file
81 KB
0 Karma
Reply

somesoni2
Revered Legend
‎04-23-2018 07:51 AM

The timestamp of the transaction would be considered as the start time of the transaction which is in 13th hour, so your transaction would be counted for 13th hour, even though it ended in 14th. What's your requirement here? Do you want it to be counted for both hours?

0 Karma
Reply

cmisztur
Explorer
‎04-23-2018 11:17 AM

Correct, should split the transaction and fit into the hour it belongs in. So 1m4s into 13th hour, 0m23s into 14th hour.

0 Karma
Reply

niketn
Legend
‎04-23-2018 07:42 AM

@cmisztur, yes transaction will pick earliest time as the _time. Are you trying to create a transaction without id?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cmisztur
Explorer
‎04-23-2018 11:15 AM

correct, no ID.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-23-2018 07:46 AM

I wasn't entirely clear on what OP is asking.. But perhaps using stats rather than transaction will give more flexibility

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...