https://community.splunk.com/t5/Splunk-Search/Using-Splunk-query-with-transaction/m-p/365491#M107786 <P>Assuming they were individual events before the <CODE>transaction</CODE>, get rid of the <CODE>transaction</CODE> and do it this way...</P> <PRE><CODE>index=foo ("Status Code is" OR "HTTP") | rename COMMENT as "extract thread, url and status, frop all other fields but _time" | rex "INFO\s+\((?&lt;myThread&gt;[^:\)]*:)\)\s*(HTTP url : (?&lt;myURL&gt;.*?)\s+?|:Status Code is:(?&lt;myStatus&gt;\d{3})\s+?)" | fields _time myThread myURL myStatus | rename COMMENT as "sort into thread /time order then roll URL and start time foreward onto response record" | sort 0 myThread _time | streamstats current=f last(_time) as lasttime last(myURL) as lastURL by myThread | rename COMMENT as "Drop all records but the response, calculate response time" | where isnotnull(myStatus) | eval resptime = _time - lasttime </CODE></PRE> <P>This should give records that look like this</P> <PRE><CODE>| fields _time myThread lastURL myStatus resptime </CODE></PRE> <P>And then you can run them into this...</P> <PRE><CODE>| stats avg(resptime) as avgresp p95(resptime) as p95resp by lastURL </CODE></PRE> Fri, 10 Nov 2017 17:58:28 GMT DalJeanis 2017-11-10T17:58:28Z https://community.splunk.com/t5/Splunk-Search/Using-Splunk-query-with-transaction/m-p/365489#M107784 <P>1) I want to count the number of occurences of the HTTP URL with p(95) response time for url invocation:<BR /> <A href="https://example.net/v1/abc/xyz" target="_blank">https://example.net/v1/abc/xyz</A> with the response code as 200 or 500<BR /> 2) The response time is the difference of time-stamp b/w line 6 &amp; 3.<BR /> 3) Both the URL invocation &amp; Status code occurs for the same thread which is Thread-30_Server_1 and always should be the next occurences<BR /> If you see both event 1 &amp; event 2 occur with the same thread but the response status code should always be sequential.<BR /> So the splunk search should return event 1 with Status as 200 where-as event 2 with Status as 350</P> <P>Event 1:</P> <P>Line1) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) :Url in else part is:<A href="https://example.net/v1/abc/xyz" target="_blank">https://example.net/v1/abc/xyz</A><BR /> Line2) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%<BR /> Line3) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) HTTP url : <A href="https://example.net/v1/abc/xyz" target="_blank">https://example.net/v1/abc/xyz</A><BR /> Line4) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) Body: [{"itemID":"42650750083","uom":"EACH","toZipCode":"112173111","qty":1,"channel":"dotcom"}]<BR /> Line5) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%<BR /> Line6) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status Code is:200<BR /> Line7) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status message is:"Success"<BR /> Line8) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) Exit call and 3</P> <P>Event 2:</P> <P>Line101) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) Enter call with 5 attributes<BR /> Line102) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%<BR /> Line103) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) HTTP url : <A href="https://example.net/v2/mmm/nnn" target="_blank">https://example.net/v2/mmm/nnn</A><BR /> Line104) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%<BR /> Line105) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################<BR /> Line106) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Output from Server<BR /> Line107) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) {"status":350,"message":"Success","body":[{"shortageQty":0,"reservedQty":1,"partiallyReservedQty":0,"problemType":"SUCCESS"}}]}<BR /> Line108) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################<BR /> Line109) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status Code is:350<BR /> Line110) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status message is:"Success"<BR /> Line111) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Exit call</P> Tue, 29 Sep 2020 16:45:23 GMT https://community.splunk.com/t5/Splunk-Search/Using-Splunk-query-with-transaction/m-p/365489#M107784 gvanjre 2020-09-29T16:45:23Z https://community.splunk.com/t5/Splunk-Search/Using-Splunk-query-with-transaction/m-p/365490#M107785 <P>Is that one event with 8 lines, or is that 8 events that have been rolled together using <CODE>transaction</CODE>?</P> <P>The code is simpler in the first case.</P> Fri, 10 Nov 2017 17:09:20 GMT https://community.splunk.com/t5/Splunk-Search/Using-Splunk-query-with-transaction/m-p/365490#M107785 DalJeanis 2017-11-10T17:09:20Z https://community.splunk.com/t5/Splunk-Search/Using-Splunk-query-with-transaction/m-p/365491#M107786 <P>Assuming they were individual events before the <CODE>transaction</CODE>, get rid of the <CODE>transaction</CODE> and do it this way...</P> <PRE><CODE>index=foo ("Status Code is" OR "HTTP") | rename COMMENT as "extract thread, url and status, frop all other fields but _time" | rex "INFO\s+\((?&lt;myThread&gt;[^:\)]*:)\)\s*(HTTP url : (?&lt;myURL&gt;.*?)\s+?|:Status Code is:(?&lt;myStatus&gt;\d{3})\s+?)" | fields _time myThread myURL myStatus | rename COMMENT as "sort into thread /time order then roll URL and start time foreward onto response record" | sort 0 myThread _time | streamstats current=f last(_time) as lasttime last(myURL) as lastURL by myThread | rename COMMENT as "Drop all records but the response, calculate response time" | where isnotnull(myStatus) | eval resptime = _time - lasttime </CODE></PRE> <P>This should give records that look like this</P> <PRE><CODE>| fields _time myThread lastURL myStatus resptime </CODE></PRE> <P>And then you can run them into this...</P> <PRE><CODE>| stats avg(resptime) as avgresp p95(resptime) as p95resp by lastURL </CODE></PRE> Fri, 10 Nov 2017 17:58:28 GMT https://community.splunk.com/t5/Splunk-Search/Using-Splunk-query-with-transaction/m-p/365491#M107786 DalJeanis 2017-11-10T17:58:28Z