#Splunk transaction duration chart download
To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. The transaction command groups the rows by key (which is whited-out, below) with maxevents2.However, the results of that transaction appear disjointed. Chart the average number of events in a transaction, based on transaction duration This example uses the sample data from the Search Tutorial. #Admin Edit (fixed sourcetype and changed it to source…queries should work again). I have splunk poll a database and return the results into a transaction command.
Source=WinEventLog:Security (EventCode=528 OR EventCode=538) (Logon_Type=2 OR Logon_Type=10) | eval Date=strftime(_time, "%Y/%m/%d") | eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host User startswith=EventCode=528 endswith=EventCode=538 | where duration > 5 | eval duration = duration/60 | eval duration=round(duration,2)| table host, User, LogonType, duration, Date | rename duration as "Session Duration in Minutes" | sort - date Source=WinEventLog:Security (EventCode=4624 OR EventCode=4634) (Logon_Type=2 OR Logon_Type=10) | eval Date=strftime(_time, "%Y/%m/%d")| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host user startswith=EventCode=4624 endswith=EventCode=4634 | where duration > 5 | eval duration = duration/60 | eval duration=round(duration,2)| table host, user, LogonType duration, Date | rename duration as "Session Duration in Minutes" | sort - date
You can extract the elapsed time with a regular expression: 'finished executing normally' rex fieldraw 'elapsed time (Remote Desktop via Terminal Services) transaction host user. 09-16-2013 11:18 AM Two ways to do this: Easiest way would be to just search for lines that contain the 'elapsed time' value in it and chart those values. Real-time export of detected problem events to 3rd party systems (Elastic, Splunk, etc.). The following query will return the duration of user logon time between initial logon and. I have a duration filter set to greater than 5 seconds to weed out any scripts that may quickly log on and log off (change this as needed to fit your environment). At this point, ill have a transaction which will look like this: time,starttime,endtime,X. Emulate real-life transactions with synthetic monitoring.
the total incident duration of the application is equal to 1h30 and not to 2h. this is the correct way when incidents (transactions) do not overlap, but when they overlap as in the previous example. The following query will return the duration of user logon time between initial logon and logoff events. before, to calculate the total duration of the incident on application X I added the duration of transaction 1 + the duration of transaction 2.
0 kommentar(er)
