Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate Transaction Duration

indeed_2000
Motivator
‎07-17-2021 01:32 AM

Hi

i have log file like this:

 

2021-07-15 00:00:01,869 INFO client.InEE-server1-1234567 [AppListener] Receive Message[A123]: Q[p1.APP], IID[null], Cookie[{"NODE_SRC":"server0"}]

2021-07-15 00:00:01,871 INFO client.InEE-server1-1234567 [AlnProcessorService] Normal Message Received: A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server1]

2021-07-15 00:00:01,892 INFO client.InEE-server1-1234567 [TransactionProcessorService] Message Processed: A[000] TA[client.OutEE-server2] Status[OK-GO,NEXT]

2021-07-15 00:00:01,988 INFO APP.InEE-server1-1234567 [AaaPowerManager] Send Message [X0000A0000] to [APP.p2] with IID[null], LTE[00000]
.
.

.
2021-07-15 00:00:11,714 INFO APP.InE-p2-9876543 [AppListener] Receive Message[Y000000Z00000]: Q[p2.APP], IID[null], Cookie[null

2021-07-15 00:00:11,719 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Normal Message Received:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server2]

2021-07-15 00:00:11,736 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Message Processed:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] TA[client.OutEE-server1] Status[OK-OUT,null]
.
2021-07-15 00:00:11,747 INFO APP.InEE-P2-9876543_CLIENT.InEE-server1-1234567 [AaaPowerManager] Send Message [A123] to [APP.p1] with IID[null], LTE[00000]




Here is the flow:

step1 (Receive Request):

Server0> Client.InEE-server1>Client.OutEE-server2>  

step2 (Reply to request)

Client.InEE-server2> Client.OutEE-server1

 


expected result:

id                                            Source                                   destination                                 State                   duration

1234567                            Server0                                  Client.InEE-server1                Received          00:00:00:002

1234567                            -                                                 -                                                      Processed        00:00:00:021

1234567,9876543        -                                                Client.InEE-server2               Send                    00:00:00:096

9876543                            Client.InEE-server2          -                                                     Receive              00:00:09:726

9876543                            -                                                  -                                                     Received           00:00:00:005

9876543                            -                                                 -                                                      Processed        00:00:00:017

9876543,1234567        -                                                Client.OutEE-server1            Send                    00:00:00:011

Total duration                                                                                                                                                           00:00:09:878


      

FYI:  SA=source address, TA=target address 

Any idea 

Thanks,

Labels (6)
0 Karma
Reply

efika
Communicator
‎07-17-2021 07:31 AM

@indeed_2000 , what I wrote below is the complete SPL command assuming id and State are the correct fields just like you described.

0 Karma
Reply

indeed_2000
Motivator
‎07-17-2021 07:39 AM

actually i want full SPL commands, because one of the problem is that I can’t extract fields on table.

 Thanks 

0 Karma
Reply

efika
Communicator
‎07-17-2021 12:15 PM

@indeed_2000 ,

What system/app is generating this logs ? did you try to find a TA on Splunkbase for it ?

At any rate, based on the logs you attached, this is what I came up with :

 

| rex "\-(?<id>\d+)\s*(\[|\_).*\-(?<id2>\d+)\s*(\[|\_)" 
| rex "(?<State>(Receive|Send|Received|Processed))(\s+Message|\:)" 
| transaction id startswith=(State=Received) endswith=(State=Send)
0 Karma
Reply

indeed_2000
Motivator
‎07-17-2021 02:34 PM

it's a custom app unfortunately there is no TA for that.

after run what you mention get this result 

id                    id2              duration

9876543    1234567    00:00:00:028

 

seems just apply for last part.

any idea?

thank

0 Karma
Reply

efika
Communicator
‎07-17-2021 02:34 AM

Hi @indeed_2000 ,

You can use the transaction command:

transaction id  startswith=(State=Received) endswith=(State=Send)

The duration field will be created for you by the command.

 

0 Karma
Reply

indeed_2000
Motivator
‎07-17-2021 07:16 AM

@efika Thank you for answer,

would you please tell me complete SPL command?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...