topic Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria? in Alerting

How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

karthi2809 — Thu, 21 Sep 2017 10:32:49 GMT

how to calculate job start time and job end time of transaction for particular time and to set trigger mail when start time and stop time?
This is my query ,i am getting two events as start time and end time
index=test URI=/member* | head 1 | append [search index=test URI=/member*| tail 1] | transaction URI

How to send email when start time and end time

Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

cmerriman — Thu, 21 Sep 2017 12:10:48 GMT

when exactly do you want to send an email? You can trigger it when specific conditions are met. Something like every time there is a start time AND end time (ie: two events or duration>0) or if the start time is after a certain hour of the day or on a certain day. can you be more specific?

Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

karthi2809 — Thu, 21 Sep 2017 12:36:08 GMT

one of the job is running from 12 to 5.In the time i need to find start time and end time .
for ex: if the job starts at 12.30 i need to trigger email as job started .

but for end time i dont know how to find end time and how to send mail for job completed .i dont have any start stop string in the event

Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

cmerriman — Thu, 21 Sep 2017 12:47:35 GMT

can you give a sample of you data? you need a trigger every time a job starts and every time a job is completed? How do you know if the job is complete if there is no "complete" (or something similar) string? What metrics define a completed job?

Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

DalJeanis — Thu, 21 Sep 2017 15:48:27 GMT

try this...

index=test URI=/member* 
| stats min(_time) as starttime max(_time) as endtime range(_time) as duration by URI

Duration will be in seconds.

However, that doesn't solve your question of sending the start and stop emails. That just assumes that the last record for each will be the end record, which is what your original code was doing.

It would be better to figure out what the records actually look like, and search for them directly.

When you post those, we can help you work out the code.

Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

lfedak_splunk — Fri, 22 Sep 2017 00:06:22 GMT

Hey @karthi2809, if DalJeanis solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

karthi2809 — Fri, 22 Sep 2017 04:52:06 GMT

That only i dont know how to do.so i tried tail 1 command for last event time

Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

karthi2809 — Tue, 29 Sep 2020 15:50:52 GMT

When i use this query i have start time and stop time

9/20/17
4:27:18.570 PM

SPLUNK-TRACE-DateandTime - 2017-09-20 16:27:18.570 ThreadID=200;ThreadIDHex=00000;ThreadName=[WebContainer : 10];Node=MBR2:8448;meta-transid=INTERNAL_4f2d8b-11-48-8d-8e1776;ConsumerSenderID=NA;URI=/member*; TranasactionStartTime=2017-09-20 16:27:15.645;TransactionEndTime=2017-09-20 16:27:18.570;TransactionStatus=SUCCESS;Method=GET;StatusCode=200;Backend=;ErrorMsg=;JDBCInvocation=;JDBCWaitTime=;CacheContentFlag=UNKNOWN;CaptureLocation=Response;

9/20/17
12:30:10.908 PM
SPLUNK-TRACE-DateandTime - 2017-09-20 12:30:10.908 ThreadID=2084;ThreadIDHex=00000;ThreadName=[WebContainer : 2];Node=MBR8:8448;meta-transid=INTERNAL_f63e8-184e-49b-96d-8bbff0e5;ConsumerSenderID=NA;URI=/member*;TranasactionStartTime=2017-09-20 12:30:10.908;TransactionEndTime=NA;TransactionStatus=;Method=GET;StatusCode=;Backend=GetMber, GetContact-dal;ErrorMsg=;JDBCInvocation=;JDBCWaitTime=;CacheContentFlag=UNKNOWN;CaptureLocation=Request;

Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

DalJeanis — Mon, 25 Sep 2017 13:56:40 GMT

@Karthi2809 -

Easy enough. All the records have TranasactionStartTime set to the same time. (Note the extra a in Tran a saction in the events.)

If you want to alert that the job has started, you need to key on the job where _time = TranasactionStartTime.

If you want to alert that the job has completed, you need to key on the event where _time = TransactionEndTime.

 index=test URI=/member* 
 | rename COMMENT as "Extract the times from the record" 
 | rex "TranasactionStartTime=(?<start>[^;]+);TransactionEndTime=(?<end>[^;N]*)(;|NA)"
 | eval tranStartTime=strftime(start,","%Y-%m-%d %H:%M:%s.%3N")
 | eval tranEndTime=strftime(end,","%Y-%m-%d %H:%M:%s.%3N")

 | rename COMMENT as "Group the records, clean up duration if the transaction has not completed." 
 | stats min(_time) as starttime, max(tranStartTime) as tranStartTime,
         max(_time) as nowtime, max(tranEndTime) as tranEndTime, range(_time) as duration by URI
 | eval duration=if(isnull(tranEndTime),null(),duration)

 | rename COMMENT as "If more records are possi ble than start and end, only let the start and end through." 
 | where (starttime=nowtime) OR (tranEndTime=nowtime)

Re: How to calculate job start/end time of transaction for particular time with an alert when it meets this criteria?

smilingajay — Wed, 18 Oct 2017 00:13:53 GMT

Hi Dal
What if the TransactionEndTime is only in CaptureLocation=Response and TransactionStartTime is only in CaptureLocation=Request

Thanks
AJ