Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Splunk query with transaction

gvanjre
New Member
‎11-10-2017 01:12 AM

1) I want to count the number of occurences of the HTTP URL with p(95) response time for url invocation:
https://example.net/v1/abc/xyz with the response code as 200 or 500
2) The response time is the difference of time-stamp b/w line 6 & 3.
3) Both the URL invocation & Status code occurs for the same thread which is Thread-30_Server_1 and always should be the next occurences
If you see both event 1 & event 2 occur with the same thread but the response status code should always be sequential.
So the splunk search should return event 1 with Status as 200 where-as event 2 with Status as 350

Event 1:

Line1) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) :Url in else part is:https://example.net/v1/abc/xyz
Line2) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line3) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) HTTP url : https://example.net/v1/abc/xyz
Line4) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) Body: [{"itemID":"42650750083","uom":"EACH","toZipCode":"112173111","qty":1,"channel":"dotcom"}]
Line5) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line6) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status Code is:200
Line7) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status message is:"Success"
Line8) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) Exit call and 3

Event 2:

Line101) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) Enter call with 5 attributes
Line102) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line103) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) HTTP url : https://example.net/v2/mmm/nnn
Line104) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line105) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################
Line106) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Output from Server
Line107) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) {"status":350,"message":"Success","body":[{"shortageQty":0,"reservedQty":1,"partiallyReservedQty":0,"problemType":"SUCCESS"}}]}
Line108) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################
Line109) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status Code is:350
Line110) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status message is:"Success"
Line111) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Exit call

0 Karma
Reply

DalJeanis
Legend
‎11-10-2017 09:58 AM

Assuming they were individual events before the transaction, get rid of the transaction and do it this way...

index=foo  ("Status Code is" OR "HTTP")

| rename COMMENT as "extract thread, url and status, frop all other fields but _time"
| rex  "INFO\s+\((?<myThread>[^:\)]*:)\)\s*(HTTP url : (?<myURL>.*?)\s+?|:Status Code is:(?<myStatus>\d{3})\s+?)"
| fields _time myThread myURL myStatus

| rename COMMENT as "sort into thread /time order then roll URL and start time foreward onto response record"
| sort 0 myThread _time
| streamstats current=f last(_time) as lasttime last(myURL) as lastURL by myThread

| rename COMMENT as "Drop all records but the response, calculate response time"
| where isnotnull(myStatus) 
| eval resptime = _time - lasttime

This should give records that look like this

| fields _time myThread lastURL myStatus resptime

And then you can run them into this...

| stats avg(resptime) as avgresp p95(resptime) as p95resp by lastURL
0 Karma
Reply

DalJeanis
Legend
‎11-10-2017 09:09 AM

Is that one event with 8 lines, or is that 8 events that have been rolled together using transaction?

The code is simpler in the first case.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...