Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alternative of transaction ?

lain179
Communicator
‎05-24-2013 04:28 PM

I have log lines that I need to group by 4 or 5 fields so that I can find the duration. I am using transaction, but it takes a long, long, long time even for 4 hours period. What's the best way to go around it?

Thanks

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-25-2013 12:28 AM

As martin_mueller noted, transaction can be rather resource expensive, and the stats variant he presented works well in a lot of situations. However, you might also (really really) need to limit the amount of events that the transaction command has to operate on.

This can be done by setting time constraints, specifying index, host, source, sourcetype etc, filtering out unwanted events, e.g. NOT debug.

Hope this helps,

k

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-25-2013 04:17 AM

Indeed - regardless of transaction, that's a good approach for every search and will make the stats substitute faster as well.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-24-2013 05:47 PM

An often quicker way to compute pseudo-transactions is stats with a by-attribute. Consider this:

some search | stats earliest(_time) as _time range(_time) as duration by transaction_id

This will compute the start and duration of each transaction. If you need more fields you can add more to the stats - the less you need, the faster it will be.

Note, this lacks features of transaction such as maxspan, maxpause, and so on. If you need those you will likely have to stick with transaction. You can use those to optimize the query by the way - if you for example know the maximum duration you may be able to drastically reduce the number of open transactions and speed things up without switching to stats.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...