The search is longer now, but you can figure all kinds of inter-transaction timing with this kind of search. | stats avg(Step_1_Completion) as Step_1_Completion_Average, avg(Step_2_Completion) as Step_2_Completion_Average, avg(Step_3_Completion) as Step_3_Completion_Average, avg(Step_4_Completion) as Step_4_Completion_Average | eval Step_4_Completion=Step_4_Time-Start_Time | eval Step_3_Completion=Step_3_Time-Start_Time | eval Step_2_Completion=Step_2_Time-Start_Time | eval Step_1_Completion=Step_1_Time-Start_Time | transaction UserName host startswith="STARTED" endswith="FINISHED" | eval Finish_Time=if(Status="FINISH",_time,null()) Additionally, the transaction command adds two fields to the raw events. Transactions are made up of the raw text (the raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member. The events in our logs are in reverse chronological order - I reversed the lines in the log and the query worked as expected. | eval Step_4_Time=if(Status="Step4_Complete",_time,null()) The transaction command finds transactions based on events that meet various constraints. During data indexing, Splunk breaks data into events.
#Splunk transaction timestamps events series
| eval Step_3_Time=if(Status="Step3_Complete",_time,null()) Splunk can index any type of time series data (data with timestamps). | eval Step_2_Time=if(Status="Step2_Complete",_time,null()) | eval Step_1_Time=if(Status="Step1_Complete",_time,null()) For example: index=citrix sourcetype="wts_log" | eval Start_Time=if(Status="STARTED",_time,null()) To calculate times within a transaction, you should eval the times before initiating the transaction, eval your time differences within each transaction, then use stats to find the time differences average or whatever you need. I'm posting a new answer because I can't comment from my workplace for some reason.
0 kommentar(er)
