Splunk Search

How to get statistics from few rows with the same task id?

niroren
New Member

Hi,

I have few rows in 1 log:

2018-01-25 13:49:40,107 INFO  [com.wss.service.agent.AgentServlet] (default task-46) ************************* Start handling request *************************
2018-01-25 13:49:40,107 INFO  [com.wss.service.agent.AgentServlet] (default task-46) coming from 10.10.10.10
2018-01-25 13:49:40,183 INFO  [com.wss.service.agent.AgentServlet] (default task-46) Handling request 
com.wss.service.agent.impl.AgentRequestParams@429a71c5[
  type=XXXX
  agent=QQQQ
  agentVersion=1.0
  pluginVersion=2.0
  domainToken=bc08304288fb47769288afdf9044ae0155hgg654
  product=ZZZZZ
  productVersion=3.0
  timestamp=Thu Jan 25 13:49:39 GMT+02:00 2018
  requesterEmail=splunk@ws.com
  projectInfos=AgentProjectInfo@2ae7c61a[coordinates= Coordinates@3f30d63a[groupId= null,artifactId= AAAAAAA,version= null ],parentCoordinates= null,projectToken= null ]
]
2018-01-25 13:49:40,183 INFO  [com.wss.service.agent.AgentServlet] (default task-46) request type is UPDATE
2018-01-25 13:49:40,228 INFO  [com.wss.service.agent.impl.AgentServiceImpl] (default task-46) updating domain: DomainName, product: ProductName
2018-01-25 13:49:40,266 DEBUG [com.wss.service.agent.impl.AgentServiceWorkManagerImpl] (default task-46) Updating inventory for BBBBBBB
2018-01-25 13:49:40,266 DEBUG [com.wss.service.agent.impl.AgentServiceWorkManagerImpl] (default task-46) New UpdateInventoryTask for DomainName
2018-01-25 13:49:40,266 DEBUG [com.wss.service.agent.AgentServlet] (default task-46) writing result
2018-01-25 13:49:40,267 INFO  [org.perf4j.TimingLogger] (default task-46) start[1516880980107] time[159] tag[Agent Request]
2018-01-25 13:49:40,267 INFO  [com.wss.service.agent.AgentServlet] (default task-46) ************************* Handling request finished *************************

These rows describe a task (there are a lot of tasks with different types)
The task has TaskID - 46 in this example
How can we get a statistics on the tasks (how many times it was executed, duration, etc.) by type of task or agent

Thanks for the help

Tags (2)
0 Karma
1 Solution

niketn
Legend

@niroren, for your case, you are better off running a stats command instead of transaction to perform the correlation:

 <YourBaseSearch> "Start handling request" OR "Handling request finished"
| eval status=case(searchmatch("Start handling request"),"Start",searchmatch("Handling request finished"),"Finished")
| stats count as eventcount first(_time) as startTime last(_time) as endTime values(status) as status by TaskID
| eval duration=endTime-startTime
| fieldformat startTime=strftime(startTime,"%Y-%m-%d %H:%M:%S")
| fieldformat endTime=strftime(endTime,"%Y-%m-%d %H:%M:%S")
| search eventcount=1 AND status!="Finished"

PS: Make sure TaskID is transaction ID and not something like Thread ID which may repeat over time, otherwise your search would need to be change to find correct matches.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@niroren, for your case, you are better off running a stats command instead of transaction to perform the correlation:

 <YourBaseSearch> "Start handling request" OR "Handling request finished"
| eval status=case(searchmatch("Start handling request"),"Start",searchmatch("Handling request finished"),"Finished")
| stats count as eventcount first(_time) as startTime last(_time) as endTime values(status) as status by TaskID
| eval duration=endTime-startTime
| fieldformat startTime=strftime(startTime,"%Y-%m-%d %H:%M:%S")
| fieldformat endTime=strftime(endTime,"%Y-%m-%d %H:%M:%S")
| search eventcount=1 AND status!="Finished"

PS: Make sure TaskID is transaction ID and not something like Thread ID which may repeat over time, otherwise your search would need to be change to find correct matches.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niroren
New Member

Thanks for your answer, was extremely helpful.

with this transaction, how can i find similar transactions that have a startwith="Start handling request" but dont have endswith (transaction that didnt finished yet.

Thanks,
Nir

0 Karma

FrankVl
Ultra Champion

You can leave out those startswith and endswith parts if needed.

PS: you might want to change your 'answer' to a comment and if my answer (or the answer of @niketnilay below) works for you, appreciated if you mark it as accepted, such that it is clear this question was answered 🙂

0 Karma

FrankVl
Ultra Champion

Have a look at the transaction command. That should give you the tools you need to do what you want to do.

For example:

...base search that returns these events...
| transaction TaskID startswith="Start handling request" endswith="Handling request finished"

The transactions that result from this will have a duration field, you can also append a stats command to this search to count number of transactions (by TaskID) etc.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...