Splunk Search

How do I edit my transaction search to only return on unique time result?

mikylace
Explorer

I'm trying to adjust the following search:

index=pcindex sourcetype=parlayx | transaction corr | search "lvl=ERROR" | table SMS_MSISDN,corr,time

I use the transaction command in order to obtain one single meta-trace with common fields I'm interested in. Then, I filter only for the erroneous ones, and finally, showing results in a "table" format (with phone number, correlatorID, time).
The problem is that the meta-field that the transaction command creates contains more than one "time" (one for every trace).

57300xxxxxxx    09c3d697-d1d1-479c-bfef-839f874460f0     2015-06-30T03:47:10.618
                                                         2015-06-30T03:47:10.620
                                                         2015-06-30T03:47:10.621
                                                         2015-06-30T03:47:40.621

How can I get only one time result, or an average of them at least?

0 Karma
1 Solution

Runals
Motivator

In your search when you list "time" at the end in your table is that a field IN your data or are you talking about the "_time" field Splunk uses to list the time of the event. For the transaction command _time will list the first event of any events that are combined.

View solution in original post

Runals
Motivator

In your search when you list "time" at the end in your table is that a field IN your data or are you talking about the "_time" field Splunk uses to list the time of the event. For the transaction command _time will list the first event of any events that are combined.

mikylace
Explorer

I think this is what I call "Columbus egg"....

THANKYOU! :DDD

index=pcindex sourcetype=parlayx | transaction corr | search "lvl=ERROR" | table _time, SMS_MSISDN, corr

Works Just Perfect 🙂
Thankyou so much!

0 Karma

Runals
Motivator

Glad that worked. If you haven't already seen it the transaction command also will calculate the duration between the first and last event in the transaction and put it into a field called duration. This is useful for figuring out long something took between start and end as well as being able to calculate the end time ie - | eval end_time = _time + duration | convert ctime(end_time)

NOUMSSI
Builder

hi,
try this:

index=pcindex sourcetype=parlayx | transaction corr | search "lvl=ERROR" |dedup SMS_MSISDN| table SMS_MSISDN,corr,time
0 Karma

mikylace
Explorer

thankyou, unfortunately there are not msisdn duplicated, so the result is the same as before... Nor the time is duplicated, all of them are different (by seconds or milliseconds, but different).

0 Karma

stephanefotso
Motivator

Hello! try this to get the last time value :

index=pcindex sourcetype=parlayx| transaction corr | search "lvl=ERROR"|stats values(SMS_MSISDN) values(corr) first(time)

You can also try other functions, last(), max(), ...
Thanks

SGF
0 Karma

mikylace
Explorer

unfortunately this doesn't works 😞

it returns a different number of msisdn, more correlatorID than phonenumbers, and just one time (the first one)...

0 Karma

stephanefotso
Motivator

True. try this

 index=pcindex sourcetype=parlayx|eventstats max(time) as time| transaction corr | search "lvl=ERROR"|table SMS_MSISDN corr time

Hope, it may help

SGF
0 Karma

mikylace
Explorer

thankyou a lot, time is shown correctly but is always the same for all phonenumbers, like this:

573155737677 15ab891d-b075-4894-a2fa-4dcefc93ab77 2015-06-30T15:00:40.940
573157464749 3d17e720-6810-47be-b94f-0b66a4c97081 2015-06-30T15:00:40.940
573213437139 29245338-6763-4969-bbb2-53972bf6e004 2015-06-30T15:00:40.940
573008181388 09c3d697-d1d1-479c-bfef-839f874460f0 2015-06-30T15:00:40.940

0 Karma

stephanefotso
Motivator

Yes! Because i have used the max() command, means, 2015-06-30T15:00:40.940 is the max time.
But you can also use a subsearch to get the top time, something like this:

 index=pcindex sourcetype=parlayx [search index=pcindex sourcetype=parlayx|top 1 time|table time]|transaction corr | search "lvl=ERROR"|table SMS_MSISDN corr time
SGF
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...