- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Calculating the duration of a transaction frag...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm reviewing debug logs that have some Enter/Exit values for each step of a process. Currently I can calculate the total Transaction duration or the duration of a specific operation within that transaction(Enter/Exit entries), but I'd like to pull these into a single search so that I can calculate the difference in duration from a specific operation vs the total transaction.
My problem seems to be related to getting all my fields to final calculation. Only SID & duration of the outside transaction are coming through.
Here's my search
SomeOperation | transaction SID maxspan=120s maxpause=120s [search host="foo" sourcetype="bar" SID | transaction SID maxspan=120s maxpause=120s | eval total=duration | fields SID, total, _raw] | eval diff=total-duration | fields SID, diff, duration, total
Edit:
Here's an example of the data I'm looking at:
2010-08-16 12:02:33:221 [26 ] DEBUG SomeApp SID=123 Process: Enter
2010-08-16 12:02:33:221 [26 ] DEBUG SomeApp SID=123 Blah blah blah
2010-08-16 12:02:33:221 [26 ] DEBUG SomeApp SID=123 Blah blah blah
2010-08-16 12:02:33:221 [27 ] DEBUG SomeService SID=123 SomeImportantOperation: Enter
2010-08-16 12:02:34:284 [27 ] DEBUG SomeService SID=123 SomeImportantOperation: Exit
2010-08-16 12:02:35:221 [26 ] DEBUG SomeApp SID=123 Blah blah blah
2010-08-16 12:02:35:221 [26 ] DEBUG SomeApp SID=123 Blah blah blah
2010-08-16 12:02:35:221 [26 ] DEBUG SomeApp SID=123 Process: Exit
I basically want to get the duration of the whole group, plus the duration of SomeImportantOperation. This will allow me to calculate a difference between the two and see whether or not SomeImportantOperation is bogging down the whole transaction. (ie What percentage of the transaction is spent in SomeImportantOperation?)
My search does appear to be working, but my field 'total' does not appear to be making it out of the subsearch (which causes my 'diff' calculation to fail too).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if either of these questions/answers are of help to you:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've never seen a sub-search on a transaction command like this. Is your existing search working? Also, can you give an example of "SomeOperation"? Are you sure you fields are being limited by your "fields" command? Looks like only you are only keeping a 4 of them (your very last command)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if either of these questions/answers are of help to you:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Confirmed, option one works great. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This first link looks spot on, will try this out.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
