Splunk Search

transaction that ends if a certain value changes

christianhuber
Path Finder

Hi all,

I'am sure there was already someone that had this problem and there is probably a answer right in front of me. But with all the effort reading trough splunk answer I couldn't find a proper solution.

My Log file:

12:00:00 name=SENSOR1 value=true
12:02:00 name=SENSOR1 value=true
12:03:00 name=SENSOR1 value=true
12:04:00 name=SENSOR1 value=false
12:05:00 name=SENSOR1 value=false
12:10:00 name=SENSOR1 value=false
12:11:00 name=SENSOR1 value=true
12:12:00 name=SENSOR1 value=true
12:13:00 name=SENSOR1 value=true
12:14:00 name=SENSOR1 value=true
12:15:00 name=SENSOR1 value=false

What I would like to have as e result:

12:00:00 name=SENSOR1 value=true duration=240
12:04:00 name=SENSOR1 value=false duration=420
12:11:00 name=SENSOR1 value=true duration=240

My Current Search :

value=true | transaction value, name maxpause=140s |append [search value=false | transcation value, name maxpause=140s] 

Which gives me

12:00:00 name=SENSOR1 value=true duration=180
12:04:00 name=SENSOR1 value=false duration=60
12:10:00 name=SENSOR1 value=false duration=0
12:11:00 name=SENSOR1 value=true duration=180

So I know the Problem I have is the maxpause, how can I handle that problem ? If I'am increasing the maxpause it will combine events that shouldn't be together. But I still would like to have one event for as this is in my case one transaction, and it's possible that a sensor doesn't send regularly a status value.

any help or link to a already answered question would be nice

Christian

0 Karma
1 Solution

cmerriman
Super Champion

try to use streamstats.

| makeresults |eval data="time=12:00:00 name=SENSOR1 value=true, time=12:02:00 name=SENSOR1 value=true,time=12:03:00 name=SENSOR1 value=true,time=12:04:00 name=SENSOR1 value=false,time=12:05:00 name=SENSOR1 value=false,time=12:10:00 name=SENSOR1 value=false,time=12:11:00 name=SENSOR1 value=true,time=12:12:00 name=SENSOR1 value=true,time=12:13:00 name=SENSOR1 value=true,time=12:14:00 name=SENSOR1 value=true,time=12:15:00 name=SENSOR1 value=false"|makemv data delim="," |mvexpand data|rename data as _raw|kv|convert auto(time) as _time|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Streamstats

adding something along the lines of:

|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

might help. might need a little adjusting, though

View solution in original post

sbbadri
Motivator

I hope it helps,

your search | eval _raw = _raw."#" | transaction value, name maxpause=140s | eventstats values(_raw) by duration | eval _raw = split(_raw,"#") | table _raw duration

0 Karma

christianhuber
Path Finder

Hi,

Thanks but I think the problem will resists as, the maxpause is still making sure that after 140s no event receives, a new transaction is started.

0 Karma

cmerriman
Super Champion

try to use streamstats.

| makeresults |eval data="time=12:00:00 name=SENSOR1 value=true, time=12:02:00 name=SENSOR1 value=true,time=12:03:00 name=SENSOR1 value=true,time=12:04:00 name=SENSOR1 value=false,time=12:05:00 name=SENSOR1 value=false,time=12:10:00 name=SENSOR1 value=false,time=12:11:00 name=SENSOR1 value=true,time=12:12:00 name=SENSOR1 value=true,time=12:13:00 name=SENSOR1 value=true,time=12:14:00 name=SENSOR1 value=true,time=12:15:00 name=SENSOR1 value=false"|makemv data delim="," |mvexpand data|rename data as _raw|kv|convert auto(time) as _time|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Streamstats

adding something along the lines of:

|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

might help. might need a little adjusting, though

christianhuber
Path Finder

I will try this, a give feedback. At the first glance it looks pretty good for me.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...