Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Find requests hits within span of time

likesplunk
New Member
‎09-24-2012 10:50 PM

Hi All,
Any inputs on the following requirement is appreciated.
I need to know the count of request of type1 followed by type2 that has happened within say 1 min with the same username

Tags (1)
0 Karma
Reply

emiller42
Motivator
‎09-26-2012 07:06 PM

maxspan isn't a field, it's an argument for the transaction command. You're saying "I want to group events as a single transaction that starts with "FOO" and ends with "BAR" but only if the time difference between the two is one minute or less."

Since there is no 'maxspan' field, it's not something you can reference later. However, when you transaction, it DOES create a new field called 'duration' which you can use later for evaluations.

| transaction username maxspan=1m startswith=eval(request="type1") endswith=eval(request="type2")  | timechart count

should give you a chart of the number of transactions over time. If you want to group them by the transaction duration, I would recommend doing some bucketing:

| transaction username maxspan=1m startswith=eval(request="type1") endswith=eval(request="type2") | bucket duration span=30 | timechart count by duration
0 Karma
Reply

emiller42
Motivator
‎10-05-2012 11:20 AM

And if this answer helped, please mark it as 'Answered' by clicking the green check. That way people finding this in the future will see it's a question with an accepted answer, as opposed to one that's still outstanding. Thanks!

0 Karma
Reply

Ayn
Legend
‎09-24-2012 10:55 PM

Assuming in this example that you have the fields request (values type1 or type2) and username extracted:

... | transaction username maxspan=1m startswith=eval(request="type1") endswith=eval(request="type2") | stats count
Reply

likesplunk
New Member
‎09-25-2012 03:37 AM

Not able to figure out the exact search fields, though have gone thru splunk tutorial.
For
i tried .. | transaction username maxspan=1m startswith=eval(request="type1") endswith=eval(request="type2")(maxspan=2s or maxspan=60s) | timechart span=5m count

With this, I am able to view the count of request during a specific period.What if wanted to know no of request of maxspan 2 and them maxspan 60 over a period of time

0 Karma
Reply

Ayn
Legend
‎09-25-2012 02:02 AM

You're using stats AND chart after that. That won't work. Have you taken the Splunk tutorial? It explains some concepts like this if you're new to Splunk.

0 Karma
Reply

likesplunk
New Member
‎09-25-2012 01:29 AM

i tried .. | transaction username maxspan=1m startswith=eval(request="type1") endswith=eval(request="type2") | stats count |chart count over maxspan.But I am not getting th expected result

0 Karma
Reply

Ayn
Legend
‎09-24-2012 11:46 PM

Sure. transaction will produce a field duration that shows the duration between its first and last event, so you could use that in your statistics.

0 Karma
Reply

likesplunk
New Member
‎09-24-2012 11:31 PM

Thanks.Is there a way to plot graph with maxspan & count

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...