Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculating the duration of a transaction fragment vs. the total transaction

Yancy
Path Finder
‎08-16-2010 07:21 PM

I'm reviewing debug logs that have some Enter/Exit values for each step of a process. Currently I can calculate the total Transaction duration or the duration of a specific operation within that transaction(Enter/Exit entries), but I'd like to pull these into a single search so that I can calculate the difference in duration from a specific operation vs the total transaction.

My problem seems to be related to getting all my fields to final calculation. Only SID & duration of the outside transaction are coming through.

Here's my search

SomeOperation | transaction SID maxspan=120s maxpause=120s [search host="foo" sourcetype="bar" SID | transaction SID maxspan=120s maxpause=120s | eval total=duration | fields SID, total, _raw] | eval diff=total-duration | fields SID, diff, duration, total

Edit:

Here's an example of the data I'm looking at:

2010-08-16 12:02:33:221 [26             ] DEBUG SomeApp    SID=123     Process: Enter
2010-08-16 12:02:33:221 [26             ] DEBUG SomeApp    SID=123     Blah blah blah
2010-08-16 12:02:33:221 [26             ] DEBUG SomeApp    SID=123     Blah blah blah
2010-08-16 12:02:33:221 [27             ] DEBUG SomeService SID=123     SomeImportantOperation: Enter
2010-08-16 12:02:34:284 [27             ] DEBUG SomeService SID=123     SomeImportantOperation: Exit
2010-08-16 12:02:35:221 [26             ] DEBUG SomeApp    SID=123     Blah blah blah 
2010-08-16 12:02:35:221 [26             ] DEBUG SomeApp    SID=123     Blah blah blah
2010-08-16 12:02:35:221 [26             ] DEBUG SomeApp    SID=123     Process: Exit

I basically want to get the duration of the whole group, plus the duration of SomeImportantOperation. This will allow me to calculate a difference between the two and see whether or not SomeImportantOperation is bogging down the whole transaction. (ie What percentage of the transaction is spent in SomeImportantOperation?)

My search does appear to be working, but my field 'total' does not appear to be making it out of the subsearch (which causes my 'diff' calculation to fail too).

Tags (1)
Reply
1 Solution
Solved! Jump to solution

Lowell
Super Champion
‎08-16-2010 07:33 PM

I've never seen a sub-search on a transaction command like this. Is your existing search working? Also, can you give an example of "SomeOperation"? Are you sure you fields are being limited by your "fields" command? Looks like only you are only keeping a 4 of them (your very last command)

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎08-16-2010 07:29 PM

See if either of these questions/answers are of help to you:

Reply
Solved! Jump to solution

Yancy
Path Finder
‎08-16-2010 08:10 PM

Confirmed, option one works great. Thanks!

0 Karma
Reply
Solved! Jump to solution

Yancy
Path Finder
‎08-16-2010 07:55 PM

This first link looks spot on, will try this out.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...