https://community.splunk.com/t5/Splunk-Search/How-can-I-use-transaction-to-break-down-the-sub-processes-of-a/m-p/339285#M100606 <P>Give this a try (field extraction needs to be adjusted per your need)</P> <PRE><CODE>your search | rex "^(\S+\s+){4}Process (?&lt;ProcessName&gt;\S+)\s+(?&lt;event_type&gt;(start|end))" | where isnotnull(event_type) | chart values(_time) over ProcessName by event_type | eval duration=end-start | table ProcessName duration </CODE></PRE> Wed, 13 Dec 2017 20:45:32 GMT somesoni2 2017-12-13T20:45:32Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-transaction-to-break-down-the-sub-processes-of-a/m-p/339283#M100604 <P>I have numerous exposures captured in the log with minimaly structured data like the following.</P> <PRE><CODE>. . 2017/12/11 13:06:33.156 S_LOG VIDEO Exposure(): entered . . 2017/12/11 13:06:33.234 S_LOG VIDEO Process A start . . 2017/12/11 13:06:34.796 S_LOG VIDEO Process A end . . . 2017/12/11 13:06:35.210 S_LOG VIDEO Process B start . 2017/12/11 13:06:35.952 S_LOG VIDEO Process B end . . 2017/12/11 13:06:37.077 S_LOG VIDEO Exposure(): exit . . </CODE></PRE> <P>I can get a nice chart of the overall exposure durations with something like the following.</P> <PRE><CODE>&lt;search&gt; | transaction VIDEO startswith="Exposure(): entered" endswith="Exposure(): exit" | chart count by duration </CODE></PRE> <P>But what I would really like to get is a more detailed chart showing on average how much of the duration is composed by each of the sub process A,B,C,...<BR /> A Pie chart maybe...</P> <P>I've been reading through the Transaction documentation, but I'm getting lost in the details... All help appreciated.</P> Wed, 13 Dec 2017 18:42:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-transaction-to-break-down-the-sub-processes-of-a/m-p/339283#M100604 tucker28 2017-12-13T18:42:12Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-transaction-to-break-down-the-sub-processes-of-a/m-p/339284#M100605 <P>I think streamstats is right up your alley. this is just a rough draft, you'll have to mess with it depending on your variables and whatnot.</P> <PRE><CODE>|makeresults|eval data="date=1512983193,type=VIDEO,session=Exposure_Entered date=1512983196,type=VIDEO,session=Process_A_Start date=1512983206,type=VIDEO,session=Process_A_End date=1512983300,type=VIDEO,session=Process_B_Start date=1512983345,type=VIDEO,session=Process_B_End date=1512983450,type=VIDEO,session=Exposure_Exit"|makemv data|mvexpand data|rename data as _raw|kv|rename date as _time|table _time type session|sort 0 _time|streamstats window=1 current=f values(session) as prev_session values(_time) as prev_time by type|eval duration=if(like(session,"%End"),_time-prev_time,null()) </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Streamstats">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Streamstats</A></P> Wed, 13 Dec 2017 19:30:50 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-transaction-to-break-down-the-sub-processes-of-a/m-p/339284#M100605 cmerriman 2017-12-13T19:30:50Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-transaction-to-break-down-the-sub-processes-of-a/m-p/339285#M100606 <P>Give this a try (field extraction needs to be adjusted per your need)</P> <PRE><CODE>your search | rex "^(\S+\s+){4}Process (?&lt;ProcessName&gt;\S+)\s+(?&lt;event_type&gt;(start|end))" | where isnotnull(event_type) | chart values(_time) over ProcessName by event_type | eval duration=end-start | table ProcessName duration </CODE></PRE> Wed, 13 Dec 2017 20:45:32 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-transaction-to-break-down-the-sub-processes-of-a/m-p/339285#M100606 somesoni2 2017-12-13T20:45:32Z