Good Afternoon Splunk,
I have a question about some data that I am trying to evaluate for the transaction command. Below I have a snapshot of the data I am trying to get a the transaction statement to work but I have to be somewhat creative.
The goal is that I am trying to get the last event in this transaction, the max or last value. I believe to signify the transaction I may be able to start with the "Send To State" field as that is always = 0
But the end of the transaction I am having some trouble with, as you can see the data is not all that helpful.
My anticipated query for index time. Seems to at least pick up values in steps.
| eval IndexTime=strftime(_indextime, "%Y-%m-%d %H:%M:%S")
Somehow I would like to correlate the index time and another field so that I may then say
SendToState was the beginning of this and the end was the combination of an indextime and some other field, but I am at a loss what I could do. Any help would be appreciated.
Thanks,
Daniel MacGillivray
It seems what you need is not a transaction, but a streamstats instead. append this to your SPML query:
| SORT "Type of Report", "Report Sub Type", "Report Generation Start Time", - _indextime
| STREAMSTATS current=t reset_on_change=t first(_indextime) as "first_time" last(_indextime) as "current_time" by "Type of Report", "Report Sub Type", "Report Generation Start Time"
| EVAL isfirst=IF(first_time==current_time, 1, 0)
| SEARCH isfirst=1
It should show you only the "last line" (max _indextime) for each report you generated
It seems what you need is not a transaction, but a streamstats instead. append this to your SPML query:
| SORT "Type of Report", "Report Sub Type", "Report Generation Start Time", - _indextime
| STREAMSTATS current=t reset_on_change=t first(_indextime) as "first_time" last(_indextime) as "current_time" by "Type of Report", "Report Sub Type", "Report Generation Start Time"
| EVAL isfirst=IF(first_time==current_time, 1, 0)
| SEARCH isfirst=1
It should show you only the "last line" (max _indextime) for each report you generated
Thanks Haley, as I was thinking about what Lguinn said to me previously, I found it difficult to have a transaction without values that were really going to work similar to a Web or VPN or some other type of transactional type logic.
Thanks everyone for your assistance, and working with me on this.
What would "a transaction" look like? What defines a transaction - same type/sub-type of report? How does "IndexTime" affect the transaction?
It might be helpful to see the entire search string that you have so far...