Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart span and transaction rollover into hour (what happens to the duration of the transaction?)

cmisztur
Explorer
‎04-23-2018 07:04 AM

below example sums the duration when a machine is not running.

 ... 
    | sort 0 - time 
    | transaction startswith=running="0" endswith=running="1" keeporphans=f keepevicted=f
    | timechart span=1h sum(duration)

first transaction of an hour:

alt text

what happens to a transaction that rolls over into the hour?
will it report against 13th hour because the transaction takes the first event's timestamp...

like this one:

alt text

thanks
/c

Preview file
42 KB
Preview file
81 KB
0 Karma
Reply

somesoni2
Revered Legend
‎04-23-2018 07:51 AM

The timestamp of the transaction would be considered as the start time of the transaction which is in 13th hour, so your transaction would be counted for 13th hour, even though it ended in 14th. What's your requirement here? Do you want it to be counted for both hours?

0 Karma
Reply

cmisztur
Explorer
‎04-23-2018 11:17 AM

Correct, should split the transaction and fit into the hour it belongs in. So 1m4s into 13th hour, 0m23s into 14th hour.

0 Karma
Reply

niketn
Legend
‎04-23-2018 07:42 AM

@cmisztur, yes transaction will pick earliest time as the _time. Are you trying to create a transaction without id?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cmisztur
Explorer
‎04-23-2018 11:15 AM

correct, no ID.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-23-2018 07:46 AM

I wasn't entirely clear on what OP is asking.. But perhaps using stats rather than transaction will give more flexibility

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...