Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to Get An Event from Within a Transaction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to get an event inside of a transaction to use for duration calculation. My events currently look like this (for one user):
2021-06-07 17:53:01 UserId:123 Session complete
2021-06-07 17:25:01 UserId:123 Start session
2021-06-07 17:17:01 UserId:123 Choose location for session:231
2021-06-07 15:33:01 UserId:123 Session complete
2021-06-07 14:55:01 UserId:123 Start session
2021-06-07 14:42:01 UserId:123 Choose location for session:212
I want to get the duration of the session from start to completion but also need to session number. I set up my search with a transaction starting with the "Choose" event and ending with the "Session complete" event in order to get the session number with the grouping, but I need to access the "Start session" event to calculate the duration. How should I go about this? My search is below:
index=INDEX host=HOST sourcetype=SOURCETYPE earliest=-1d@d latest=now
| rex field=_raw "UserId:(?<user_id>\d+)\sSession\scomplete"
| rex field=_raw "UserId:(?<user_id>\d+)\sStart\ssession"
| rex field=_raw "UserId:(?<user_id>\d+)\sChoose\slocation\sfor\ssession:(?<session_id>\d+)"
| where user_id<3000
| sort 0 user_id -_time
| transaction user_id startswith="Choose" endswith="complete"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to solve my issue by using filldown prior to the transaction:
index=INDEX host=HOST sourcetype=SOURCETYPE earliest=-1d@d latest=now
| rex field=_raw "UserId:(?<user_id>\d+)\sSession\scomplete"
| rex field=_raw "UserId:(?<user_id>\d+)\sStart\ssession"
| rex field=_raw "UserId:(?<user_id>\d+)\sChoose\slocation\sfor\ssession:(?<session_id>\d+)"
| where user_id<3000
| sort 0 user_id _time
| filldown session_id
| sort 0 user_id -_time
| transaction user_id startswith="Choose" endswith="complete"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to solve my issue by using filldown prior to the transaction:
index=INDEX host=HOST sourcetype=SOURCETYPE earliest=-1d@d latest=now
| rex field=_raw "UserId:(?<user_id>\d+)\sSession\scomplete"
| rex field=_raw "UserId:(?<user_id>\d+)\sStart\ssession"
| rex field=_raw "UserId:(?<user_id>\d+)\sChoose\slocation\sfor\ssession:(?<session_id>\d+)"
| where user_id<3000
| sort 0 user_id _time
| filldown session_id
| sort 0 user_id -_time
| transaction user_id startswith="Choose" endswith="complete"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
