Re: transaction and conditional logic

bilsch · ‎08-26-2010

I am working on a variation on a transaction query as described here: http://answers.splunk.com/questions/5619/calculating-the-duration-of-a-transaction-fragment-vs-the-t...

(... search )
| eval phase1_time=if(searchmatch("Entering"), _time, null())
| eval phase2_time=if(searchmatch("Exiting"), _time, null())
| transaction fields="sessionId" startswith="Entering" endswith="Exiting"
| eval phase1_duration=phase2_time-phase1_time
| search phase1_duration >= 10
| fields host,loginId,sessionId,phase1_duration,source

This works for my reporting purposes but I would like an operational version of this query that would be capable of providing results of sessionId's which have started/Entered but have not Exited yet - within a window of seconds similar to what I am doing with phase1_duration.

Anyone have ideas?

gkanapathy · ‎08-26-2010

I'm wondering why you don't just use the "duration" field that is automatically computed by the "transaction" command, that is simply the difference between _time of the first and _time of the last event in the transaction.

If that field value works for you, you can simply add "keepevicted=true" to your transaction options, and incomplete transactions will be kept in your results, but the duration will be calculated according to the last event anyway.

bilsch · ‎08-27-2010

Good point on the duration vs eval to derive. This does simplify the original query - thanks!

transaction and conditional logic

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann