Re: transaction with duplicate start events and sh...

harshavmb · ‎07-29-2016

Hello All,

I'm trying to get the duration from the transaction. The problem here is I've duplicate start events and the transaction is taking the latest duplicate event. Is there a way I can get the transaction of the first duplicate event?

First event (request 1) :

{"evt":146965680,"intelId":"54","intelSeq":2044838,"intelVer":"1","time":"2016-07-27T22:00:02.806Z","uiCorrelationIdV1":"SUI-14696568028","threadName":"qtp212823539","wMethod":"GET","wResource":"https://abc/v2/products/1513131?key=yqtYwkTVvgA","intelCropped":false,"intelLength":354}

Second event (request 2) :

 {"evt":146965680,"intelId":"54","intelSeq":2044838,"intelVer":"1","time":"2016-07-27T22:01:03.906Z","uiCorrelationIdV1":"SUI-14696568028","threadName":"qtp212823539","wMethod":"GET","wResource":"https://abc/v2/products/1513131?key=yqtYwkTVvgA","intelCropped":false,"intelLength":354}

Response :

{"evt":146965686,"intelId":"51","intelSeq":2046000,"intelVer":"1","time":"2016-07-27T22:01:02.999Z","uiCorrelationIdV1":"SUI-14696568028","threadName":"qtp2128235399-8101","wStatus":200,"wDurationMicros":25000,"wSize":"15638","intelCropped":false,"intelLength":278}

Below is the query I wrote.

index=myindex sourcetype=jlp_intel_v2 "intelId":"54" OR  "intelId":"51"
| transaction uiCorrelationIdV1 maxspan=65s startswith=wMethod endswith=wStatus
| eval difference = duration 
| table uiCorrelationIdV1 difference
| sort -difference

I've done the transaction of request events with response event and it always shows the duration between the response and request 2 ignoring the request1.

Can someone please help me?

Thanks in advance.

dijikul · ‎02-20-2020

Any luck with this?

I'm having a similar issue where the start of a transaction is a repeating event, with the transaction only closing with a single event.

I can successfully group the transaction by only specifying the endswith parameter, leaving out the startswith, however the issue is when the transaction is not-yet completed (in this case the 'event' lasts longer than 5 minutes), nothing appears. I can work around this with the keeporphans param, but then each repeating starting event is a single event and not grouped together until it sees the endswith clause...

somesoni2 · ‎07-29-2016

Try this

 index=myindex sourcetype=jlp_intel_v2 "intelId":"54" OR  "intelId":"51"
| reverse | dedup evt
 | transaction uiCorrelationIdV1 maxspan=65s startswith=wMethod endswith=wStatus
 | eval difference = duration 
 | table uiCorrelationIdV1 difference
 | sort -difference

harshavmb · ‎07-30-2016

nah! it is not working!

sundareshr · ‎07-29-2016

See if this works

index=myindex sourcetype=jlp_intel_v2 "intelId":"54" OR  "intelId":"51" | rex "(?<action>wMethod|wStatus)" | reverse streamstats count by uiCorrelationIdV1 action | where count=1 | streamstats window=1 current=f  values(_time) as next_evt by uiCorrelationIdV1 count | eval duration=tostring(next_evt-_time, "duration")

harshavmb · ‎07-30-2016

nah! it is not working!

sundareshr · ‎07-30-2016

What about it is not working?

harshavmb · ‎07-31-2016

I'm getting different results than what I expected. There are only two duplicate requests. I'll try to debug your query tomorrow. Many Thanks for your answers.. Much appreciated.

transaction with duplicate start events and should be taking the earliest event

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?