Below is a sample log, i want to find time difference. By this query
index=[search] | transaction startswith="A started" endswith="A completed"
i was able to find the rows from log.
2013-10-04T07:54:05 Component Log-level A Started
2013-10-04T07:54:09 Component Log-level A Completed
x-axis should be plotted with span=1d and y-axis plotted with time difference value. Please help me.
If I understand what you are trying to say, you want a 24-hour chart with every transaction in that 24 hours and its respective duration. I think there is some confusion by your use of the phrase "span=1d" because that is commonly a search argument to timechart
- which will have to do some statistical aggregation because that is all it knows.
An approach that you can use with limited data is something like this:
index=[search] earliest=@d latest=@d+1d
| transaction startswith="A started" endswith="A completed"
| table _time, duration
This produces chartable data that is 24 hours wide with every data point in the sample represented. BUT if you have more than a few hundred data points, it starts to fall apart fast. Example - on a 1600x1200 screen, even if the chart is full screen you only have enough room for about 1500 data points (assuming 1 pixel per data point).
When you have a large number of data points and you need a somewhat sensical graph, that is where doing timechart and aggregating over time ranges is essential. For example, over a 1 day search period take an average - or maximum or minimum or something - over a span=1m.
duration
is calculated as the time difference between the first and last event in a transaction, regardless of how many events are in the transaction.
I'm sorry, but perhaps you can give more sample data and explain why the duration
s you get are 'wrong'.
Hi dwaddle,
E.g. query works fine when the log result like below,
2013-10-04T07:54:05 Component Log-level A Started
2013-10-04T07:54:09 Component Log-level A Completed
But it fails when it contains in-between lines, it aggregates all the lines time difference and giving it.
2013-10-04T07:54:09 Component Log-level A Completed \ this is ends with content
I need time difference for start and end content excluding the time difference in-between lines.
Perhaps a timechart is what you are looking for, for plotting the duration
value over time for a certain transaction. duration
is calculated automatically by the transaction
command. See the example below, which works on standard apache web logs.
sourcetype=access_combined earliest=-1h clientip=10.1.1.1
| transaction clientip maxspan=3m
| timechart span=1m first(duration) by clientip
Hope this helps,
K
Maybe, I could have been more clear with that. Given the timespans in my example, there will be not be more than one transaction per timeslice, so it does not matter which avg(), min(), first()
etc function is used.
My reading is "I want every duration plotted, not first() or avg()".
duration
IS the time difference between start pattern and end pattern, i.e. startswith and endswith, for EACH transaction. The sample log in your question would have a duration
value of 4 (seconds), regardless of how many events there are IN the transaction.
Is there some other time difference you wish to calculate? Please provide more sample events, and a description of how you want it charted.
/k
yes duration is calculated but i need time difference between start pattern and end pattern not all.
You would use timechart. Transaction already calculates the duration between start and end of a transaction.
index=[search] | transaction startswith="A started" endswith="A completed
| timechart span=1d avg(duration)
Well, anytime you bucket you need to aggregate the data in some way by either doing an average, max, min etc. If you just want to list them all you could do the following instead:
| chart last(duration) by _time
This is pretty close to what Kristian suggested below so I am not sure why you didn't like his answer?
How to get that transaction time difference...the query which u given gives only average... i need the difference between every transaction happened, it present in same event.