Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Splunk query with transaction

gvanjre
New Member
‎11-10-2017 01:12 AM

1) I want to count the number of occurences of the HTTP URL with p(95) response time for url invocation:
https://example.net/v1/abc/xyz with the response code as 200 or 500
2) The response time is the difference of time-stamp b/w line 6 & 3.
3) Both the URL invocation & Status code occurs for the same thread which is Thread-30_Server_1 and always should be the next occurences
If you see both event 1 & event 2 occur with the same thread but the response status code should always be sequential.
So the splunk search should return event 1 with Status as 200 where-as event 2 with Status as 350

Event 1:

Line1) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) :Url in else part is:https://example.net/v1/abc/xyz
Line2) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line3) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) HTTP url : https://example.net/v1/abc/xyz
Line4) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) Body: [{"itemID":"42650750083","uom":"EACH","toZipCode":"112173111","qty":1,"channel":"dotcom"}]
Line5) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line6) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status Code is:200
Line7) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status message is:"Success"
Line8) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) Exit call and 3

Event 2:

Line101) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) Enter call with 5 attributes
Line102) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line103) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) HTTP url : https://example.net/v2/mmm/nnn
Line104) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line105) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################
Line106) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Output from Server
Line107) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) {"status":350,"message":"Success","body":[{"shortageQty":0,"reservedQty":1,"partiallyReservedQty":0,"problemType":"SUCCESS"}}]}
Line108) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################
Line109) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status Code is:350
Line110) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status message is:"Success"
Line111) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Exit call

0 Karma
Reply

DalJeanis
Legend
‎11-10-2017 09:58 AM

Assuming they were individual events before the transaction, get rid of the transaction and do it this way...

index=foo  ("Status Code is" OR "HTTP")

| rename COMMENT as "extract thread, url and status, frop all other fields but _time"
| rex  "INFO\s+\((?<myThread>[^:\)]*:)\)\s*(HTTP url : (?<myURL>.*?)\s+?|:Status Code is:(?<myStatus>\d{3})\s+?)"
| fields _time myThread myURL myStatus

| rename COMMENT as "sort into thread /time order then roll URL and start time foreward onto response record"
| sort 0 myThread _time
| streamstats current=f last(_time) as lasttime last(myURL) as lastURL by myThread

| rename COMMENT as "Drop all records but the response, calculate response time"
| where isnotnull(myStatus) 
| eval resptime = _time - lasttime

This should give records that look like this

| fields _time myThread lastURL myStatus resptime

And then you can run them into this...

| stats avg(resptime) as avgresp p95(resptime) as p95resp by lastURL
0 Karma
Reply

DalJeanis
Legend
‎11-10-2017 09:09 AM

Is that one event with 8 lines, or is that 8 events that have been rolled together using transaction?

The code is simpler in the first case.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...