Timing inner transactions

RVDowning · ‎06-09-2014

I Have transactions within transactions, namely something like the following:

PlanId, [OPEN PLAN START] Action="AAA"
.
PlanId, [OPEN PLAN End] Action="AAA"
PlanId, [BBB START] Action="BBB"
.
.
PlanId, [BBB End]Action="BBB"
PlanId, [MMM START] Action="MMM"
.
.
PlanId, [MMM End]Action="MMM"

this would be followed by another transaction with a new PlanId, etc.

I can do the following:
source="blahblah" | transaction PlanId startswith="[OPEN PLAN START]"
| table PlanId, Action, duration
which gives me a table of the PlanIds, Actions, and durations of the outer transaction.

The question is, how can I get the durations of the individual actions within each PlanID, namely the duration of AAA, BBB, MMM, etc.

Also, it would be of interest to get the average durations of all AAA, BBB, MMM etc across all PlanIds.

somesoni2 · ‎06-09-2014

Try something like this

source="blahblah" | transaction PlanId,Action startswith="START]" endswith="END]" | table PlanId, Action, duration

somesoni2 · ‎06-10-2014

What issue do you see in the output of the answer I gave? Since, we don't know the actual events, it would help if you can describe how far it is from the expected.

RVDowning · ‎06-10-2014

I wasn't sufficiently clear in my problem description.

Guess what I'm looking for is output something like:
PlanID1 AAA duration
BBB duration
.
EEE duration
PlanId2 AAA duration
BBB duration
.
EEE duration
.
.

etc.

(of course the AAA, BBB, etc are not in alphabetical order.

So, a given PlanId may be opened more than once and will have its own set of internal transactions. Each will start with [OPEN PLAN START] and continue as long as the PlanId stays the same and another [OPEN PLAN START] is not encountered.

Timing inner transactions

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life