![]() ![]() I think the default maxspan is 1 day, which can cause a large number of evicted records if you have a large log volume. When you set up a log event alert action, populate event fields with plain text or tokens. Using the log event alert action requires the editlogalertevent capability. As with other alert actions, log events can be used alone or in addition to other alert actions for a given alert. Using a reasonable maxspan value and startswith will significantly reduce the number of transactions in memory. Log events are sent to your Splunk deployment for indexing. Or you can calculate those with timechart/stats/chart and get a table of values or a visual representation, and use predict to forecast the values. If you click on the duration field on the left of the events list, it will show the average, minimum, maximum, and standard deviation. A real-world example of how a transaction is used is a customer interacting with an eCommerce site. Transactions usually include information such as the duration between events and the number of events (eventcount). `comment("| timechart avg(duration) AS avg_duration, p95(duration) AS p95_duration, max(duration) AS max_duration, min(duration) AS min_duration by cs_username | predict avg_duration p95_duration max_duration")` The transaction command allows Splunk users to locate events that match certain criteria. | eventstats p95(duration) AS p95_duration | eval action = if(match(a_action, "event_status"), "login_complete", action) Depending on your log volume and what you want to see, the following will show the 95th percentile of the time between two events. The transaction command is the simplest way to aggregate related logs. If anyone knows how to tackle this issue at the same time that would be hugely convenient, but one issue at a time will suffice for now ) In my answer I set the windon to 1, so it only looks at the prior event. The streamstats command is not very efficient (neither is transaction BTW). We can see this from the cs_username field. If there are multiple events with the same timestamp, the silverlight event (if it exists) will come first. (However, we do get onto the issue of making sure that we are looking at the same person instance of the product. ![]() The difference between these values is all we need, what is the easiest way to calculate this? Is it possible to find the time difference between these two events? I know they both have timestamps, which can be converted in epoch. However, we have come to realize that what actually happens when someone logs in, is that the action=login starts the process, and then another log/event finishes this process, called a_action=event_status Our logs have multiple events for the same timestamp as follows (I have simplified the logs, removing the unrelated fields w.r. In order to work out how long it takes someone to log in, we have simply been using the time_taken field for this action. Transaction over multiple events with same timestamp KrishnaR Path Finder 06-07-2010 10:21 PM Hi, I'm a Splunk newbie and I'm trying to write some queries for our logs using 'transaction'. So far, when someone logs in we have been using the (custom field) value of action=login to view this event. These are events performed by someone who is using a product that we make at the company I work at. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |