I am tracking reponse time in n-tiers applications.
Let's assume that we have a client request log and a database request log. Each client request has a unique transaction_ID in the client log. The database log records 3 different requests for a single client request and specifies the transaction_ID corresponding to the client request served by the database requests.
I would like to correlate the client and database log so that I can decompose the client request time in "application time" and "database time" (sum of the 3 database request response time).
Also, I would like to drill down on the database time to see the 3 different requests.
What do you recommend ?
The transaction command may be the right approach in this case. Take a look at this previous answer which is very detailed.
From the docs (there are example transactions):
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction
The Transaction profiling app might be interesting for you to look at as well.
http://splunk-base.splunk.com/apps/29011/splunk-app-for-transaction-profiling-preview