Re: Calculate Transaction Duration

indeed_2000 · ‎07-17-2021

Hi

i have log file like this:

2021-07-15 00:00:01,869 INFO client.InEE-server1-1234567 [AppListener] Receive Message[A123]: Q[p1.APP], IID[null], Cookie[{"NODE_SRC":"server0"}]

2021-07-15 00:00:01,871 INFO client.InEE-server1-1234567 [AlnProcessorService] Normal Message Received: A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server1]

2021-07-15 00:00:01,892 INFO client.InEE-server1-1234567 [TransactionProcessorService] Message Processed: A[000] TA[client.OutEE-server2] Status[OK-GO,NEXT]

2021-07-15 00:00:01,988 INFO APP.InEE-server1-1234567 [AaaPowerManager] Send Message [X0000A0000] to [APP.p2] with IID[null], LTE[00000]
.
.

.
2021-07-15 00:00:11,714 INFO APP.InE-p2-9876543 [AppListener] Receive Message[Y000000Z00000]: Q[p2.APP], IID[null], Cookie[null

2021-07-15 00:00:11,719 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Normal Message Received:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server2]

2021-07-15 00:00:11,736 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Message Processed:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] TA[client.OutEE-server1] Status[OK-OUT,null]
.
2021-07-15 00:00:11,747 INFO APP.InEE-P2-9876543_CLIENT.InEE-server1-1234567 [AaaPowerManager] Send Message [A123] to [APP.p1] with IID[null], LTE[00000]

Here is the flow:

step1 (Receive Request):

Server0> Client.InEE-server1>Client.OutEE-server2>

step2 (Reply to request)

Client.InEE-server2> Client.OutEE-server1

expected result:

id Source destination State duration

1234567 Server0 Client.InEE-server1 Received 00:00:00:002

1234567 - - Processed 00:00:00:021

1234567,9876543 - Client.InEE-server2 Send 00:00:00:096

9876543 Client.InEE-server2 - Receive 00:00:09:726

9876543 - - Received 00:00:00:005

9876543 - - Processed 00:00:00:017

9876543,1234567 - Client.OutEE-server1 Send 00:00:00:011

Total duration 00:00:09:878

FYI: SA=source address, TA=target address

Any idea

Thanks,

efika · ‎07-17-2021

@indeed_2000 , what I wrote below is the complete SPL command assuming id and State are the correct fields just like you described.

indeed_2000 · ‎07-17-2021

actually i want full SPL commands, because one of the problem is that I can’t extract fields on table.

Thanks

efika · ‎07-17-2021

@indeed_2000 ,

What system/app is generating this logs ? did you try to find a TA on Splunkbase for it ?

At any rate, based on the logs you attached, this is what I came up with :

| rex "\-(?<id>\d+)\s*(\[|\_).*\-(?<id2>\d+)\s*(\[|\_)" 
| rex "(?<State>(Receive|Send|Received|Processed))(\s+Message|\:)" 
| transaction id startswith=(State=Received) endswith=(State=Send)

indeed_2000 · ‎07-17-2021

it's a custom app unfortunately there is no TA for that.

after run what you mention get this result

id id2 duration

9876543 1234567 00:00:00:028

seems just apply for last part.

any idea?

thank

efika · ‎07-17-2021

Hi @indeed_2000 ,

You can use the transaction command:

transaction id  startswith=(State=Received) endswith=(State=Send)

The duration field will be created for you by the command.

indeed_2000 · ‎07-17-2021

@efika Thank you for answer,

would you please tell me complete SPL command?

Calculate Transaction Duration

fields

regex

rex

stats

table

transaction

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!