8/9/2023 0 Comments Splunk transaction time query… | stats range(_time) as duration by trade_id Often there is a unique identifier, and stats can be used.įor example, to compute statistics on the duration of trades identified by the unique identifier trade_id, the following searches yield the same answer: … | transaction trade_id When it is desirable to see the raw text of the events rather than an analysis on the constituent fields of the events.Īgain, when neither of these cases is applicable, it is a better practice to use stats, as search performance for stats is generally better than a transaction.When unique field values (also known as identifiers) are not sufficient to discriminate between discrete transactions.The transaction command is most useful in two specific cases: Unlike stats, transaction retains the raw event text and field values from the original events, but it does not compute any statistics over the grouped events, other than the duration (the delta of the _time field between oldest and newest events in the transaction) and the event count (the total number of events in the transaction). Like stats, the transaction command can group events based on common field values, but it can also use more complex constraints such as the total period of the transaction, delays between events within the transaction, and required beginning and ending events. Typically, the raw event text is discarded. You can only group events with stats if they have at least one common field value and if you require no other constraints. With that speed, however, comes some limitations. It’s faster than transactions, especially in a distributed environment. ![]() The rule of thumb: If you can use stats, use stats. But when should you use transactions and when should you use stats? The most common approach uses either the transaction or stats command. Identify and Group Events into Transactions Introduction
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |