Splunk Search

transaction with duplicate start events and should be taking the earliest event

harshavmb
New Member

Hello All,

I'm trying to get the duration from the transaction. The problem here is I've duplicate start events and the transaction is taking the latest duplicate event. Is there a way I can get the transaction of the first duplicate event?

First event (request 1) :

{"evt":146965680,"intelId":"54","intelSeq":2044838,"intelVer":"1","time":"2016-07-27T22:00:02.806Z","uiCorrelationIdV1":"SUI-14696568028","threadName":"qtp212823539","wMethod":"GET","wResource":"https://abc/v2/products/1513131?key=yqtYwkTVvgA","intelCropped":false,"intelLength":354}

Second event (request 2) :

 {"evt":146965680,"intelId":"54","intelSeq":2044838,"intelVer":"1","time":"2016-07-27T22:01:03.906Z","uiCorrelationIdV1":"SUI-14696568028","threadName":"qtp212823539","wMethod":"GET","wResource":"https://abc/v2/products/1513131?key=yqtYwkTVvgA","intelCropped":false,"intelLength":354}

Response :

{"evt":146965686,"intelId":"51","intelSeq":2046000,"intelVer":"1","time":"2016-07-27T22:01:02.999Z","uiCorrelationIdV1":"SUI-14696568028","threadName":"qtp2128235399-8101","wStatus":200,"wDurationMicros":25000,"wSize":"15638","intelCropped":false,"intelLength":278}

Below is the query I wrote.

index=myindex sourcetype=jlp_intel_v2 "intelId":"54" OR  "intelId":"51"
| transaction uiCorrelationIdV1 maxspan=65s startswith=wMethod endswith=wStatus
| eval difference = duration 
| table uiCorrelationIdV1 difference
| sort -difference

I've done the transaction of request events with response event and it always shows the duration between the response and request 2 ignoring the request1.

Can someone please help me?

Thanks in advance.

0 Karma

dijikul
Communicator

Any luck with this?

I'm having a similar issue where the start of a transaction is a repeating event, with the transaction only closing with a single event.

I can successfully group the transaction by only specifying the endswith parameter, leaving out the startswith, however the issue is when the transaction is not-yet completed (in this case the 'event' lasts longer than 5 minutes), nothing appears. I can work around this with the keeporphans param, but then each repeating starting event is a single event and not grouped together until it sees the endswith clause...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

 index=myindex sourcetype=jlp_intel_v2 "intelId":"54" OR  "intelId":"51"
| reverse | dedup evt
 | transaction uiCorrelationIdV1 maxspan=65s startswith=wMethod endswith=wStatus
 | eval difference = duration 
 | table uiCorrelationIdV1 difference
 | sort -difference
0 Karma

harshavmb
New Member

nah! it is not working!

0 Karma

sundareshr
Legend

See if this works

index=myindex sourcetype=jlp_intel_v2 "intelId":"54" OR  "intelId":"51" | rex "(?<action>wMethod|wStatus)" | reverse streamstats count by uiCorrelationIdV1 action | where count=1 | streamstats window=1 current=f  values(_time) as next_evt by uiCorrelationIdV1 count | eval duration=tostring(next_evt-_time, "duration") 
0 Karma

harshavmb
New Member

nah! it is not working!

0 Karma

sundareshr
Legend

What about it is not working?

0 Karma

harshavmb
New Member

I'm getting different results than what I expected. There are only two duplicate requests. I'll try to debug your query tomorrow. Many Thanks for your answers.. Much appreciated.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...