- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Transaction - max span is 1 calendar day
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transaction - max span is 1 calendar day
Hi all, can I define somehow that I will get the only a transaction from the same calendar day?
I know that I can use maxspan but, if I have two transactions:
08-11-19 15:51
08-12-19 00:02
I would like that it will not show me this transaction (and maxspan=1d/24m not helping me with that).
**Example **
so this is an example to my logs:
1) 1/1/19 2:58 ON
2) 1/1/19 11:31 OFF
3) 1/1/19 13:21 ON
4) 1/1/19 17:03 OFF
5) 1/1/19 19:53 ON
6) 1/2/19 5:17 OFF
I wish to know for how long some users have been on state ON and on state OFF (going from ON to OFF is on and from OFF to ON is off) on the same day.
here I would like to get:
On 30780s (1->2)
Off 6660s (2->3)
On 13320s (3->4)
Off 10181s (4->5)
And I don't want that to show the transaction from 5 to 6 since it is not on the same date.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DO NOT use transaction; do it like this:
| makeresults
| eval raw="time=1/1/19T2:58,state=ON time=1/1/19T11:31,state=OFF time=1/1/19T13:21,state=ON time=1/1/19T17:03,state=OFF time=1/1/19T19:53,state=ON time=1/2/19T5:17,state=OFF"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| rename time AS _time
| eval _time = strptime(_time, "%m/%d/%yT%H:%M")
| sort 0 - _time
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval days = _time
| bin days span=1d
| streamstats count(eval(state="OFF")) AS transactionID
| stats values(*) AS * dc(days) AS day_count BY transactionID
| search day_count == 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so this is an example to my logs:
1) 1/1/19 2:58 ON
2) 1/1/19 11:31 OFF
3) 1/1/19 13:21 ON
4) 1/1/19 17:03 OFF
5) 1/1/19 19:53 ON
6) 1/2/19 5:17 OFF
I wish to know for how long some users have been on state ON and on state OFF (going from ON to OFF is on and from OFF to ON is off) on the same day.
here I would like to get:
On 30780s (1->2)
Off 6660s (2->3)
On 13320s (3->4)
Off 10181s (4->5)
And I don't want that to show the transaction from 5 to 6 since it is not in the same date.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DO NOT USE the transaction command. Where is your SPL? Show us your raw events and a mockup of your desired final output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you limit your search to a single day using earliest=@d or earliest=-1d latest=@d then the transaction will only have events from that day.
You might try bucketing events before the transaction. ... | bucket span=1d _time | transaction maxspan=1d ....
If this reply helps you, Karma would be appreciated.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
