Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

transaction and conditional logic

bilsch
Engager
‎08-26-2010 08:49 PM

I am working on a variation on a transaction query as described here: http://answers.splunk.com/questions/5619/calculating-the-duration-of-a-transaction-fragment-vs-the-t...

(... search )
| eval phase1_time=if(searchmatch("Entering"), _time, null())
| eval phase2_time=if(searchmatch("Exiting"), _time, null())
| transaction fields="sessionId" startswith="Entering" endswith="Exiting"
| eval phase1_duration=phase2_time-phase1_time
| search phase1_duration >= 10
| fields host,loginId,sessionId,phase1_duration,source

This works for my reporting purposes but I would like an operational version of this query that would be capable of providing results of sessionId's which have started/Entered but have not Exited yet - within a window of seconds similar to what I am doing with phase1_duration.

Anyone have ideas?

Tags (1)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2010 11:14 PM

I'm wondering why you don't just use the "duration" field that is automatically computed by the "transaction" command, that is simply the difference between _time of the first and _time of the last event in the transaction.

If that field value works for you, you can simply add "keepevicted=true" to your transaction options, and incomplete transactions will be kept in your results, but the duration will be calculated according to the last event anyway.

Reply

bilsch
Engager
‎08-27-2010 11:19 AM

Good point on the duration vs eval to derive. This does simplify the original query - thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...