- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I use transaction to break down the sub pr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I use transaction to break down the sub processes of a duration?
I have numerous exposures captured in the log with minimaly structured data like the following.
.
.
2017/12/11 13:06:33.156 S_LOG VIDEO Exposure(): entered
.
.
2017/12/11 13:06:33.234 S_LOG VIDEO Process A start
.
.
2017/12/11 13:06:34.796 S_LOG VIDEO Process A end
.
.
.
2017/12/11 13:06:35.210 S_LOG VIDEO Process B start
.
2017/12/11 13:06:35.952 S_LOG VIDEO Process B end
.
.
2017/12/11 13:06:37.077 S_LOG VIDEO Exposure(): exit
.
.
I can get a nice chart of the overall exposure durations with something like the following.
<search> | transaction VIDEO startswith="Exposure(): entered" endswith="Exposure(): exit" | chart count by duration
But what I would really like to get is a more detailed chart showing on average how much of the duration is composed by each of the sub process A,B,C,...
A Pie chart maybe...
I've been reading through the Transaction documentation, but I'm getting lost in the details... All help appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try (field extraction needs to be adjusted per your need)
your search
| rex "^(\S+\s+){4}Process (?<ProcessName>\S+)\s+(?<event_type>(start|end))"
| where isnotnull(event_type)
| chart values(_time) over ProcessName by event_type | eval duration=end-start
| table ProcessName duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think streamstats is right up your alley. this is just a rough draft, you'll have to mess with it depending on your variables and whatnot.
|makeresults|eval data="date=1512983193,type=VIDEO,session=Exposure_Entered date=1512983196,type=VIDEO,session=Process_A_Start date=1512983206,type=VIDEO,session=Process_A_End date=1512983300,type=VIDEO,session=Process_B_Start date=1512983345,type=VIDEO,session=Process_B_End date=1512983450,type=VIDEO,session=Exposure_Exit"|makemv data|mvexpand data|rename data as _raw|kv|rename date as _time|table _time type session|sort 0 _time|streamstats window=1 current=f values(session) as prev_session values(_time) as prev_time by type|eval duration=if(like(session,"%End"),_time-prev_time,null())
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Streamstats
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
