Hey,
I'm a first time user and I'd like to use splunk for observing performance issues in an application. We want to see how much time an application uses to fetch the data and render the data.
Basically the planning application fetches data from a DB backend and renders it onto the screen. Sometimes the user wants to view the data in a grid, sometimes in a graphical chart, sometimes even both (multiple windows can be open at the same time). In case both views are open, the system only retrieves data once.
The app produces the following log at the moment:
2015-08-31 10:29:02:666 1 start-total Next Day
2015-08-31 10:29:02:686 1 start-data refresh function
2015-08-31 10:29:04:284 1 end-data refresh function
2015-08-31 10:29:04:333 1 start-render planning grid
2015-08-31 10:29:08:114 1 end-render planning grid
2015-08-31 10:29:09:227 1 end-total Next Day
2015-08-31 10:30:12:444 2 start-total planningblock
2015-08-31 10:30:12:485 2 start-data refresh function
2015-08-31 10:30:14:333 2 end-data refresh function
2015-08-31 10:30:14:356 2 start-render planning chart
2015-08-31 10:30:18:986 2 end-render planning chart
2015-08-31 10:30:18:999 2 start-render planning grid
2015-08-31 10:30:24:324 2 end-render planning grid
2015-08-31 10:30:24:554 2 end-total planningblock
2015-08-31 10:32:01:464 3 start-total active planningblock
2015-08-31 10:32:01:470 3 start-data refresh function
2015-08-31 10:32:03:001 3 end-data refresh function
2015-08-31 10:32:03:011 3 start-render planning chart
2015-08-31 10:32:09:975 3 end-render planning chart
2015-08-31 10:32:10:015 3 end-total active planningblock
I started by extracting fields:
time: 2015-08-31 10:29:02:666
id: 1
timeindicator: start-total
action: Next Day
I played around with the transaction command, but I can't get it quite right. Ideally the output is a stacked chart with the cumulative duration per id over the time entries. In the example data for id=2, there are two render actions, i.e. the application is rendering a "planning grid" view and a "planning chart" view (using the same data, hence only one data refresh)
I would like to produce a result similar to this chart: https://www.dropbox.com/s/i9vztu04fqilkmi/Screen%20Shot%202015-08-10%20at%2023.46.35.png?dl=0
(note that the chart I prepared in Excel is using slightly different demo data)
thank you already in advance
Erik
Try something like this
your base search giving fields _time id timeindicator action | transaction id action maxevents=2 startswith="timeindicator=start*" endswith="timeindicator=end*" | table _time action duration | timechart sum(duration) by action
Choose the visualization as Area chart (to match your sample visualization).