Splunk Search

transaction and conditional logic

bilsch
Engager

I am working on a variation on a transaction query as described here: http://answers.splunk.com/questions/5619/calculating-the-duration-of-a-transaction-fragment-vs-the-t...

(... search )
| eval phase1_time=if(searchmatch("Entering"), _time, null())
| eval phase2_time=if(searchmatch("Exiting"), _time, null())
| transaction fields="sessionId" startswith="Entering" endswith="Exiting"
| eval phase1_duration=phase2_time-phase1_time
| search phase1_duration >= 10
| fields host,loginId,sessionId,phase1_duration,source

This works for my reporting purposes but I would like an operational version of this query that would be capable of providing results of sessionId's which have started/Entered but have not Exited yet - within a window of seconds similar to what I am doing with phase1_duration.

Anyone have ideas?

Tags (1)

gkanapathy
Splunk Employee
Splunk Employee

I'm wondering why you don't just use the "duration" field that is automatically computed by the "transaction" command, that is simply the difference between _time of the first and _time of the last event in the transaction.

If that field value works for you, you can simply add "keepevicted=true" to your transaction options, and incomplete transactions will be kept in your results, but the duration will be calculated according to the last event anyway.

bilsch
Engager

Good point on the duration vs eval to derive. This does simplify the original query - thanks!

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...