Splunk Search

transaction that ends if a certain value changes

christianhuber
Path Finder

Hi all,

I'am sure there was already someone that had this problem and there is probably a answer right in front of me. But with all the effort reading trough splunk answer I couldn't find a proper solution.

My Log file:

12:00:00 name=SENSOR1 value=true
12:02:00 name=SENSOR1 value=true
12:03:00 name=SENSOR1 value=true
12:04:00 name=SENSOR1 value=false
12:05:00 name=SENSOR1 value=false
12:10:00 name=SENSOR1 value=false
12:11:00 name=SENSOR1 value=true
12:12:00 name=SENSOR1 value=true
12:13:00 name=SENSOR1 value=true
12:14:00 name=SENSOR1 value=true
12:15:00 name=SENSOR1 value=false

What I would like to have as e result:

12:00:00 name=SENSOR1 value=true duration=240
12:04:00 name=SENSOR1 value=false duration=420
12:11:00 name=SENSOR1 value=true duration=240

My Current Search :

value=true | transaction value, name maxpause=140s |append [search value=false | transcation value, name maxpause=140s] 

Which gives me

12:00:00 name=SENSOR1 value=true duration=180
12:04:00 name=SENSOR1 value=false duration=60
12:10:00 name=SENSOR1 value=false duration=0
12:11:00 name=SENSOR1 value=true duration=180

So I know the Problem I have is the maxpause, how can I handle that problem ? If I'am increasing the maxpause it will combine events that shouldn't be together. But I still would like to have one event for as this is in my case one transaction, and it's possible that a sensor doesn't send regularly a status value.

any help or link to a already answered question would be nice

Christian

0 Karma
1 Solution

cmerriman
Super Champion

try to use streamstats.

| makeresults |eval data="time=12:00:00 name=SENSOR1 value=true, time=12:02:00 name=SENSOR1 value=true,time=12:03:00 name=SENSOR1 value=true,time=12:04:00 name=SENSOR1 value=false,time=12:05:00 name=SENSOR1 value=false,time=12:10:00 name=SENSOR1 value=false,time=12:11:00 name=SENSOR1 value=true,time=12:12:00 name=SENSOR1 value=true,time=12:13:00 name=SENSOR1 value=true,time=12:14:00 name=SENSOR1 value=true,time=12:15:00 name=SENSOR1 value=false"|makemv data delim="," |mvexpand data|rename data as _raw|kv|convert auto(time) as _time|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Streamstats

adding something along the lines of:

|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

might help. might need a little adjusting, though

View solution in original post

sbbadri
Motivator

I hope it helps,

your search | eval _raw = _raw."#" | transaction value, name maxpause=140s | eventstats values(_raw) by duration | eval _raw = split(_raw,"#") | table _raw duration

0 Karma

christianhuber
Path Finder

Hi,

Thanks but I think the problem will resists as, the maxpause is still making sure that after 140s no event receives, a new transaction is started.

0 Karma

cmerriman
Super Champion

try to use streamstats.

| makeresults |eval data="time=12:00:00 name=SENSOR1 value=true, time=12:02:00 name=SENSOR1 value=true,time=12:03:00 name=SENSOR1 value=true,time=12:04:00 name=SENSOR1 value=false,time=12:05:00 name=SENSOR1 value=false,time=12:10:00 name=SENSOR1 value=false,time=12:11:00 name=SENSOR1 value=true,time=12:12:00 name=SENSOR1 value=true,time=12:13:00 name=SENSOR1 value=true,time=12:14:00 name=SENSOR1 value=true,time=12:15:00 name=SENSOR1 value=false"|makemv data delim="," |mvexpand data|rename data as _raw|kv|convert auto(time) as _time|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Streamstats

adding something along the lines of:

|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime

might help. might need a little adjusting, though

christianhuber
Path Finder

I will try this, a give feedback. At the first glance it looks pretty good for me.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...