Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a transaction search where startswith has the same value as endswith?

jo_za_b_m
Engager
‎11-19-2014 10:39 AM

Hello,

I am kind of new to Splunk and unfortunately I ran out of Ideas how to solve the problem i'm facing.
I need to know the Time between two events with the same Values. Is that possible?
an Example:

| transaction testparam mvlist=t startswith=eval(value="1") endswith=eval(value="1")  | table duration

value is a trigger in the testdata.

Is there maybe some sort of join I could use, or an option like minpause.

If anyone has an idea how to solve this or a clue, I'll be very thankful.

Greetings

Reply

MuS
Legend
‎11-19-2014 11:32 AM

Hi jo_za_b_m,

try something like this:

 <your base search here> value="1" 
| stats earliest(_time) AS e_time latest(_time) AS l_time 
| eval duration=l_time-e_time | convert crime(duration) | ...

maybe you need to add a by clause to the stats and any further needed fields. But this should do the job for you.

hope this helps ...

cheers, MuS

0 Karma
Reply

jo_za_b_m
Engager
‎11-20-2014 01:35 AM

Hi Mus,
thank you for fast response

the Problem within this is that i get the earliest and the latest value="1".
What i need is that the Value="1" (endswith) appears in the next transaction as Value="1"(startswith).
I need the duration time between every Value="1" 's.

Another solution which would help would be to include a different Value="2" in the Middle, which exists in the data and is always between the 1's.

What i tried to do so is following.

index="test" | transaction param mvlist=t startswith=eval(Value="1") endswith=eval(Value="2") | table param Create_time Value | append  [search index="test" | transaction param mvlist=t startswith=eval(Value="2") endswith=eval(Value="1")  |  eval mvindex(Value,-1) = 77 ] | table param Create_time Value

then my next step would have been to combine or make a transaction from Value="1" to Value="77" but the assignment eval mvindex()=77 doesnt work.

Maybe you have another suggestion?

0 Karma
Reply

MuS
Legend
‎11-20-2014 11:39 AM

sure there are more suggestions; like streamstats .... take a look at this blog post http://blogs.splunk.com/2013/10/31/streamstats-example/ to get an idea how to use it

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...