Splunk Search

How to get a transaction command to work with a combination of indexTime and another field?

dmacgillivray
Communicator

Good Afternoon Splunk,

I have a question about some data that I am trying to evaluate for the transaction command. Below I have a snapshot of the data I am trying to get a the transaction statement to work but I have to be somewhat creative.

The goal is that I am trying to get the last event in this transaction, the max or last value. I believe to signify the transaction I may be able to start with the "Send To State" field as that is always = 0

But the end of the transaction I am having some trouble with, as you can see the data is not all that helpful.

My anticipated query for index time. Seems to at least pick up values in steps.

| eval IndexTime=strftime(_indextime, "%Y-%m-%d %H:%M:%S")   

Somehow I would like to correlate the index time and another field so that I may then say
SendToState was the beginning of this and the end was the combination of an indextime and some other field, but I am at a loss what I could do. Any help would be appreciated.

Thanks,
Daniel MacGillivray

alt text

0 Karma
1 Solution

haley_swarnapat
Path Finder

It seems what you need is not a transaction, but a streamstats instead. append this to your SPML query:

| SORT "Type of Report", "Report Sub Type", "Report Generation Start Time", - _indextime
| STREAMSTATS current=t reset_on_change=t first(_indextime) as "first_time" last(_indextime) as "current_time" by "Type of Report", "Report Sub Type", "Report Generation Start Time"
| EVAL isfirst=IF(first_time==current_time, 1, 0)
| SEARCH isfirst=1

It should show you only the "last line" (max _indextime) for each report you generated

View solution in original post

haley_swarnapat
Path Finder

It seems what you need is not a transaction, but a streamstats instead. append this to your SPML query:

| SORT "Type of Report", "Report Sub Type", "Report Generation Start Time", - _indextime
| STREAMSTATS current=t reset_on_change=t first(_indextime) as "first_time" last(_indextime) as "current_time" by "Type of Report", "Report Sub Type", "Report Generation Start Time"
| EVAL isfirst=IF(first_time==current_time, 1, 0)
| SEARCH isfirst=1

It should show you only the "last line" (max _indextime) for each report you generated

dmacgillivray
Communicator

Thanks Haley, as I was thinking about what Lguinn said to me previously, I found it difficult to have a transaction without values that were really going to work similar to a Web or VPN or some other type of transactional type logic.

Thanks everyone for your assistance, and working with me on this.

lguinn2
Legend

What would "a transaction" look like? What defines a transaction - same type/sub-type of report? How does "IndexTime" affect the transaction?

It might be helpful to see the entire search string that you have so far...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...