Splunk Search

transaction and conditional logic

bilsch
Engager

I am working on a variation on a transaction query as described here: http://answers.splunk.com/questions/5619/calculating-the-duration-of-a-transaction-fragment-vs-the-t...

(... search )
| eval phase1_time=if(searchmatch("Entering"), _time, null())
| eval phase2_time=if(searchmatch("Exiting"), _time, null())
| transaction fields="sessionId" startswith="Entering" endswith="Exiting"
| eval phase1_duration=phase2_time-phase1_time
| search phase1_duration >= 10
| fields host,loginId,sessionId,phase1_duration,source

This works for my reporting purposes but I would like an operational version of this query that would be capable of providing results of sessionId's which have started/Entered but have not Exited yet - within a window of seconds similar to what I am doing with phase1_duration.

Anyone have ideas?

Tags (1)

gkanapathy
Splunk Employee
Splunk Employee

I'm wondering why you don't just use the "duration" field that is automatically computed by the "transaction" command, that is simply the difference between _time of the first and _time of the last event in the transaction.

If that field value works for you, you can simply add "keepevicted=true" to your transaction options, and incomplete transactions will be kept in your results, but the duration will be calculated according to the last event anyway.

bilsch
Engager

Good point on the duration vs eval to derive. This does simplify the original query - thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...