Splunk Search

Grouping related events

ahogbin
Communicator

Hello.. I am having a bit of hard time trying to get my head around a report that I am attempting to create.

What I am attempting to do is to produce a report that combines the sub values (processes) of the parent ID. Lets say I have ParentID A which in turn has sub processes A, B & C with duration values against each.

Now, I would like to graph the values so that each ParentID appears as a separate column with its sub (child) processes stacked relative to their duration. Ideally what I want to be able to see is where a process for any transaction has blown out.

So far I have managed to produce a table that displays Conversation ID (parent) Message ID of the sub processes , the sub processes themselves and the duration of each process.

Below is the search query I am running (probably a better way of doing it but with my limited knowledge this is as good as I can get)

sourcetype="evo_logs" 
| transaction MESSAGEID AND USERID 
| table _time, CONVERSATIONID, MESSAGEID, USERID, PROCESS, duration 
| sort CONVERSATIONID, _time

The problem is is that each Conversation (parentID) is split over multiple lines dependant on the number of MessageId or processes.

I am struggling with trying to work out how I can group by Message (parent)ID and then by Process and Duration

Any help that you can offer a complete Splunk newbie would be very much appreciated.

Cheers,

Alastair

Tags (1)
0 Karma

derekarnold
Communicator

Possibly your events are too far apart in time?
Try experimenting with the maxspan and maxpause commands at the end of your transaction.

Maxspan is the max time between earliest and latest events. Maxpause is the total time between events.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...