Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

transaction and conditional logic

bilsch
Engager
‎08-26-2010 08:49 PM

I am working on a variation on a transaction query as described here: http://answers.splunk.com/questions/5619/calculating-the-duration-of-a-transaction-fragment-vs-the-t...

(... search )
| eval phase1_time=if(searchmatch("Entering"), _time, null())
| eval phase2_time=if(searchmatch("Exiting"), _time, null())
| transaction fields="sessionId" startswith="Entering" endswith="Exiting"
| eval phase1_duration=phase2_time-phase1_time
| search phase1_duration >= 10
| fields host,loginId,sessionId,phase1_duration,source

This works for my reporting purposes but I would like an operational version of this query that would be capable of providing results of sessionId's which have started/Entered but have not Exited yet - within a window of seconds similar to what I am doing with phase1_duration.

Anyone have ideas?

Tags (1)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2010 11:14 PM

I'm wondering why you don't just use the "duration" field that is automatically computed by the "transaction" command, that is simply the difference between _time of the first and _time of the last event in the transaction.

If that field value works for you, you can simply add "keepevicted=true" to your transaction options, and incomplete transactions will be kept in your results, but the duration will be calculated according to the last event anyway.

Reply

bilsch
Engager
‎08-27-2010 11:19 AM

Good point on the duration vs eval to derive. This does simplify the original query - thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...