Hi
I am using Hunk and I am looking for a way to get transaction (grouping events by userid with start transaction and stop transaction event).
For example, I have events something like this:
2014/05/01 00:00:01 userid=u01 action=start
2014/05/01 00:00:02 userid=u02 action=start
2014/05/01 00:00:03 userid=u01 action=stop
2014/05/01 00:00:04 userid=u03 action=start
2014/05/01 00:00:05 userid=u03 action=stop
2014/05/01 00:00:06 userid=u01 action=start
2014/05/01 00:00:07 userid=u01 action=stop
2014/05/01 00:00:08 userid=u02 action=stop
Search result with transaction command is :
index=main sourcetype=transtest
| transaction userid startswith=action=start endswith=action=stop
| table _time userid duration'
_time userid duration
--------------------------- ------ --------
2014-05-01 00:00:06.000 JST u01 1
2014-05-01 00:00:04.000 JST u03 1
2014-05-01 00:00:02.000 JST u02 6
2014-05-01 00:00:01.000 JST u01 2
My try without transaction command is like this :
index=main sourcetype=transtest
| stats min(_time) as _time max(_time) as max by userid
| eval duration = max - _time
| table _time userid duration
_time userid duration
--------------------------- ------ --------
2014-05-01 00:00:01.000 JST u01 6
2014-05-01 00:00:02.000 JST u02 6
2014-05-01 00:00:04.000 JST u03 1
I want to get the result I get from transaction command, but I can not use transaction command because of the limitation of Hunk.
Is there any way to get transaction information without using transaction command?
Any commend would be appreciated.
Melonman, what exactly are you trying to get out of the data? Maybe we can find a way to get it without using transactions command
Melonman, what exactly are you trying to get out of the data? Maybe we can find a way to get it without using transactions command
Hmmm, since events are not guaranteed to be processed in any particular order and you absolutely need order to match the most recent start with the correct stop event (to compute the duration) there's no way around this without transaction. You can force the ordering of the events before transaction, eg. "search .... | sort - _time | transaction ...."
I am trying to get the duration (time between start and stop) for each userid and each transaction. After what, I want to get the count of transaction, min, avg, max of transaction duration for each userid. Probably I will add another search to filter something like where max>100sec or so.
Hi melonman,
this is because the stats
result for u01
looks like this:
2014/05/01 00:00:01 userid=u01 action=start
2014/05/01 00:00:03 userid=u01 action=stop
2014/05/01 00:00:06 userid=u01 action=start
2014/05/01 00:00:07 userid=u01 action=stop
and using min and max on this will result in min=00:00:01 max=00:00:07, therefore you will get a duration of 6.
based on the provided example data and using streamstats
I can get what you want:
the base search to get the events | streamstats current=f last(userid) AS last_userid last(action) AS last_action last(_time) as last_time by userid | eval duration=last_time - _time | where last_action="stop" AND action="start" | table _time userid duration
the result will look like this:
Hope this helps ...
cheers, MuS
dammit.... 🙂
Thank you very much for your great thought.
However, streamstats does not guarantee ddescending time order of events :
http://docs.splunk.com/Documentation/Hunk/6.1/Hunk/Searchavirtualindex
Ummm...