Have you at any point expected to perceive how long a worker has been down? Or then again perhaps discover the span of handling calls? Rather than walking through a lot of confounded eval proclamations or deducting distinctive time spans, Splunk has simplified it’s anything but an across the board Splunk search order: Transaction.
Exchange permits us, the clients, to correspond comparative occasions, in light of various limitations to conditional (I said the enchantment word) data. This is typically data like term among occasions and number of occasions (or eventcount).
INSTRUCTIONS TO USE TRANSACTION
Utilizing the exchange order is significantly less difficult than it may appear. To utilize it’s anything but a Splunk search order, simply follow this configuration :
|transaction
What’s more, that is it. That is the lone necessity for utilizing this order. Notwithstanding, to get the most exact outcomes, it is ideal to add a couple of more things to the line:
|transaction maxevents=# startswith= “” endswith=””
EXCHANGE USE CASES
This is a strong establishment for most use cases, how about we separate it:
<field>– this would be a field that connects between the occasions, something to coordinate with occasions with
Maxevents – most extreme number of occasions between every exchange
Startswith – occasions containing this term will get going the exchange occasion
Endswith – occasions containing this term will shut off the exchange occasion
We should take a gander at a model. I have a rundown of various workers that create a status occasion and a timestamp:
Presently what I need to do is make exchange between these occasions to discover the span in which a worker was down. To do this, I’ll need to compose a line like this:
|transaction worker maxevents=2 startswith=”Down” endswith=”Up”
EXCHANGE RESULTS
Search for these outcomes when running your exchange search order…
Worker – the field we match on
Maxevent=2 – we ONLY need to see a solitary UP and DOWN occasion
Startswith=Down – we need the Down occasion to get us going to discover the length a worker has been down
Endswith=Up – this will stop the exchange showing the worker is back up
ASK THE EXPERTS
Our Splunk Search Command of the Week series is made by our Expertise on Demand (EOD) specialists. Consistently, our group of Splunk ensured experts works with clients through Splunk investigating support, including Splunk search order best practice. In case you’re keen on studying our EOD administration or talk with our group of specialists, round out the structure underneath!