Splunk Search

Detect most delay transactions

indeed_2000
Motivator

How can I find most delay transactions?
Here is the log file like below, I want to find which transaction delay and sort them descending, show result in table and subtract time stamp and show in front of transaction

Here is the log:

16:30:53:002 start[C1]L[143]F[10]
16:30:54:002 start[C2]L[143]F[20]
16:30:55:002 start[C5]L[143]F[02]
16:30:56:002 start[C12]L[143]F[30]
16:30:57:002 start[C5]L[143]F[7]
16:30:58:002 end[C1]L[143]F[10]
16:30:59:002 start[C1]L[143]F[11]
16:30:60:002 end[C1]L[143]F[11]

Expected output:

Transaction                               Delay 
16:30:53:002 start[C1]L[143]F[10]            5s 
16:30:58:002 end[C1]L[143]F[10]

16:30:59:002 start[C1]L[143]F[10]            1s 
16:30:60:002 end[C1]L[143]F[10]

...

FYI: 1 sometimes we have start without end, or end without start.
2 “F” means footprints, sometimes “F” it might not be unique, so after first “start” we should expect “end”.

Any recommendation?

Thanks

0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Hi @mehrdad_2000, Try this query:

 | makeresults | eval Transaction="16:30:53:002 start[C1]L[143]F[10],16:30:54:002 start[C2]L[143]F[20],16:30:55:002 start[C5]L[143]F[02],16:30:56:002 start[C12]L[143]F[30],16:30:57:002 start[C5]L[143]F[7],16:30:58:002 end[C1]L[143]F[10],16:30:59:002 start[C1]L[143]F[11],16:31:00:002 end[C1]L[143]F[11]" | makemv delim="," Transaction | mvexpand Transaction | rex field=Transaction "(?<time>[\d:]+)\s(?<status>[\w]+)(?<field>.*)" | eventstats count by field | where count=2 | eval time=strptime(time, "%H:%M:%S:%3N") | delta p=1 time as Delay | eval Delay=if(status="end", Delay, "") | table Transaction, Delay

View solution in original post

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Hi @mehrdad_2000, Try this query:

 | makeresults | eval Transaction="16:30:53:002 start[C1]L[143]F[10],16:30:54:002 start[C2]L[143]F[20],16:30:55:002 start[C5]L[143]F[02],16:30:56:002 start[C12]L[143]F[30],16:30:57:002 start[C5]L[143]F[7],16:30:58:002 end[C1]L[143]F[10],16:30:59:002 start[C1]L[143]F[11],16:31:00:002 end[C1]L[143]F[11]" | makemv delim="," Transaction | mvexpand Transaction | rex field=Transaction "(?<time>[\d:]+)\s(?<status>[\w]+)(?<field>.*)" | eventstats count by field | where count=2 | eval time=strptime(time, "%H:%M:%S:%3N") | delta p=1 time as Delay | eval Delay=if(status="end", Delay, "") | table Transaction, Delay
0 Karma

indeed_2000
Motivator

Thank you this exactly what I want.

0 Karma

to4kawa
Ultra Champion
your search
| rex "(?<time>\S+) (?<status>start|end)(?<id>\[\w+\]L\[\d+\])"
| eval time=strptime(time, "%T:%3Q")
| streamstats count(eval(status="start")) as session by id
| stats list(_raw) as Transaction range(time) as Delay count as flag by session id
| where flag >1
| table Transaction Delay
| eval Delay=tostring(Delay, "duration")
0 Karma

indeed_2000
Motivator

Please use makeresults

0 Karma

to4kawa
Ultra Champion

why? there is your search, isn't it?

0 Karma

indeed_2000
Motivator

No result not work as expected, if makeresults add to it i can describe more precisely here.

0 Karma

to4kawa
Ultra Champion

Is that so,I'm sorry.

0 Karma

indeed_2000
Motivator

Seems group all the result, not separate them two by two that dedicate them bye “start” and “end”.
I think footprint (F) and time stamp might help to separate them two by two.

0 Karma

to4kawa
Ultra Champion

No such thing.

0 Karma

indeed_2000
Motivator

Here is the output

16:30:53:002 start[C1]L[143]F[10]          6s
 16:30:54:002 start[C2]L[143]F[20]
 16:30:55:002 start[C5]L[143]F[02]
 16:30:56:002 start[C12]L[143]F[30]
 16:30:57:002 start[C5]L[143]F[7]
 16:30:59:002 start[C1]L[143]F[11]



16:30:58:002 end[C1]L[143]F[10]       2s
 16:30:60:002 end[C1]L[143]F[11]
0 Karma

to4kawa
Ultra Champion

why another session and id are same multivalue?

0 Karma

indeed_2000
Motivator

Would you please add makeresults in the first below sample, so I can check output, thanks.

16:30:53:002 start[C1]L[143]F[10]
16:30:54:002 start[C2]L[143]F[20]
16:30:55:002 start[C5]L[143]F[02]
16:30:56:002 start[C12]L[143]F[30]
16:30:57:002 start[C5]L[143]F[7]
16:30:58:002 end[C1]L[143]F[10]
16:30:59:002 start[C1]L[143]F[11]
16:30:60:002 end[C1]L[143]F[11]

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...