Hello.. I am having a bit of hard time trying to get my head around a report that I am attempting to create.
What I am attempting to do is to produce a report that combines the sub values (processes) of the parent ID. Lets say I have ParentID
A which in turn has sub processes A, B & C with duration
values against each.
Now, I would like to graph the values so that each ParentID
appears as a separate column with its sub (child) processes stacked relative to their duration. Ideally what I want to be able to see is where a process for any transaction has blown out.
So far I have managed to produce a table that displays Conversation ID (parent) Message ID of the sub processes , the sub processes themselves and the duration of each process.
Below is the search query I am running (probably a better way of doing it but with my limited knowledge this is as good as I can get)
sourcetype="evo_logs"
| transaction MESSAGEID AND USERID
| table _time, CONVERSATIONID, MESSAGEID, USERID, PROCESS, duration
| sort CONVERSATIONID, _time
The problem is is that each Conversation (parentID) is split over multiple lines dependant on the number of MessageId or processes.
I am struggling with trying to work out how I can group by Message (parent)ID and then by Process and Duration
Any help that you can offer a complete Splunk newbie would be very much appreciated.
Cheers,
Alastair
Possibly your events are too far apart in time?
Try experimenting with the maxspan and maxpause commands at the end of your transaction.
Maxspan is the max time between earliest and latest events. Maxpause is the total time between events.