https://community.splunk.com/t5/Splunk-Search/How-to-build-a-query-to-find-the-request-and-response-of-the/m-p/213040#M62460 <P>Hi,</P> <P>I have a request and response logs for service.here is the question.<BR /> service A(main service)(id:1111):<BR /> ---Internal service1(sub service)(id:1111)<BR /> ---internal service 2(sub service)(id:1111)<BR /> ----Internal service 3(sub service)(id:1111)<BR /> Here service A starts and creates a ID and it will execute sub services(1,2,3).Id Remains the same for main and sub services.<BR /> My requirement is:</P> <P>I need to find out the time taken to complete the request and response for each and every main service. If the subservice failed then i should be able to see logs.In the events there is a success codes and failure codes.</P> <P>please help with query.</P> Sat, 23 Apr 2016 00:31:55 GMT mprreddy51 2016-04-23T00:31:55Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-query-to-find-the-request-and-response-of-the/m-p/213040#M62460 <P>Hi,</P> <P>I have a request and response logs for service.here is the question.<BR /> service A(main service)(id:1111):<BR /> ---Internal service1(sub service)(id:1111)<BR /> ---internal service 2(sub service)(id:1111)<BR /> ----Internal service 3(sub service)(id:1111)<BR /> Here service A starts and creates a ID and it will execute sub services(1,2,3).Id Remains the same for main and sub services.<BR /> My requirement is:</P> <P>I need to find out the time taken to complete the request and response for each and every main service. If the subservice failed then i should be able to see logs.In the events there is a success codes and failure codes.</P> <P>please help with query.</P> Sat, 23 Apr 2016 00:31:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-query-to-find-the-request-and-response-of-the/m-p/213040#M62460 mprreddy51 2016-04-23T00:31:55Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-query-to-find-the-request-and-response-of-the/m-p/213041#M62461 <P>Hi,</P> <P>You will want to work with transaction:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction</A></P> Sat, 23 Apr 2016 00:39:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-query-to-find-the-request-and-response-of-the/m-p/213041#M62461 guilmxm 2016-04-23T00:39:47Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-query-to-find-the-request-and-response-of-the/m-p/213042#M62462 <P>I already did like this but not working:<BR /> Index=abc sourcetype=pqr service=moper |transaction id<BR /> but i am getting all events;</P> Sat, 23 Apr 2016 00:42:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-query-to-find-the-request-and-response-of-the/m-p/213042#M62462 mprreddy51 2016-04-23T00:42:02Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-query-to-find-the-request-and-response-of-the/m-p/213043#M62463 <P>transaction is probably part of an answer, transaction will identify and group events depending on fields with values common to events, such as a session id. (which is your use)</P> <P>But that's part of the job, you will next want to evaluate the response time per sub_service / id, it's hard to answer really without being in the data, but if you have field extracted, the sub service name and the id, some simple evaluation like (even without transaction)</P> <PRE><CODE>| stats avg(myfield) by subservice_fieldname, id_fieldname </CODE></PRE> <P>Should start putting you on the right way.</P> <P>The stats command will automatically associate the id with sub_service if your fields are correctly extracted.<BR /> As said earlier, transaction will be useful to group events, its add valuable fields (look at the doc) you may need to use in your search before evaluating the response time for example.</P> Sat, 23 Apr 2016 01:27:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-query-to-find-the-request-and-response-of-the/m-p/213043#M62463 guilmxm 2016-04-23T01:27:02Z