https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240312#M71412 <P>Hi all, </P> <P>I have a few sources that report a GUID/UUID across different hosts. (basically load balancers, intermediate proxies, auth, and different app servers all writing uuid in logs)'<BR /> I'm interested in help with displaying 3 things;</P> <OL> <LI>Length of entire transaction over hosts - one host has several steps before passing on, processing the same requests. </LI> <LI>time between sources (input to be charted)</LI> <LI>missing sources (lets say i know for sure it's supposed to be 4 different servers with the GUID, and one of the servers has several steps)</LI> </OL> <P>An example dataset would be (notice same <STRONG>uuid</STRONG>), but different hosts. </P> <PRE><CODE>2016.1.1 12:00:00.0125 host=10.1.1.30 host=www.mydomain.com src_ip=99.226.12.39 method=GET uri="/my/cool/application" uuid=28745996-dda7-eaba-8148-1615b51314a3 2016.1.1 12:00:01.0125 server=10.2.1.30 src_ip=10.1.1.30 uri="/my/cool/application" uuid=28745996-dda7-eaba-8148-1615b51314a3 2016.1.1 12:00:02.0125 hostname=10.2.1.30 step=incoming srcip=10.1.1.30 uuid=28745996-dda7-eaba-8148-1615b51314a3 2016.1.1 12:00:04.0125 hostname=10.2.1.30 step=ok srcip=10.1.1.30 uuid=28745996-dda7-eaba-8148-1615b51314a3 2016.1.1 12:00:07.0125 hostname=10.2.1.10 srcip=10.2.1.30 uuid=28745996-dda7-eaba-8148-1615b51314a3 status=completed </CODE></PRE> <P>Any takers would be appreciated<BR /> brgds<BR /> kristen</P> Thu, 21 Jan 2016 07:14:27 GMT kritho 2016-01-21T07:14:27Z https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240312#M71412 <P>Hi all, </P> <P>I have a few sources that report a GUID/UUID across different hosts. (basically load balancers, intermediate proxies, auth, and different app servers all writing uuid in logs)'<BR /> I'm interested in help with displaying 3 things;</P> <OL> <LI>Length of entire transaction over hosts - one host has several steps before passing on, processing the same requests. </LI> <LI>time between sources (input to be charted)</LI> <LI>missing sources (lets say i know for sure it's supposed to be 4 different servers with the GUID, and one of the servers has several steps)</LI> </OL> <P>An example dataset would be (notice same <STRONG>uuid</STRONG>), but different hosts. </P> <PRE><CODE>2016.1.1 12:00:00.0125 host=10.1.1.30 host=www.mydomain.com src_ip=99.226.12.39 method=GET uri="/my/cool/application" uuid=28745996-dda7-eaba-8148-1615b51314a3 2016.1.1 12:00:01.0125 server=10.2.1.30 src_ip=10.1.1.30 uri="/my/cool/application" uuid=28745996-dda7-eaba-8148-1615b51314a3 2016.1.1 12:00:02.0125 hostname=10.2.1.30 step=incoming srcip=10.1.1.30 uuid=28745996-dda7-eaba-8148-1615b51314a3 2016.1.1 12:00:04.0125 hostname=10.2.1.30 step=ok srcip=10.1.1.30 uuid=28745996-dda7-eaba-8148-1615b51314a3 2016.1.1 12:00:07.0125 hostname=10.2.1.10 srcip=10.2.1.30 uuid=28745996-dda7-eaba-8148-1615b51314a3 status=completed </CODE></PRE> <P>Any takers would be appreciated<BR /> brgds<BR /> kristen</P> Thu, 21 Jan 2016 07:14:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240312#M71412 kritho 2016-01-21T07:14:27Z https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240313#M71413 <P>This search will list the transaction time, in seconds, for each uuid</P> <PRE><CODE>yoursearchhere | stats range(_time) as total_time by uuid </CODE></PRE> <P>Time between sources/steps for each uuid:</P> <PRE><CODE>yoursearchhere | streamstats range(_time) as total_time earliest(step) as completed_step current=t window=2 global=f by uuid </CODE></PRE> <P>I don't know what you mean by "charted." You can make a chart that lists all the uuids along with the time, but that doesn't seem terribly useful. Exactly what do you want to see on the x-axis and the y-axis of your chart?</P> <P>Finally, it is hard to search for something "missing" - how would Splunk know something was missing unless it understood the overall pattern?<BR /> It would be helpful to have details about how you would figure out the missing steps manually. Then perhaps the community can help you find a way to identify the missing setups.</P> Thu, 21 Jan 2016 21:13:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240313#M71413 lguinn2 2016-01-21T21:13:14Z https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240314#M71414 <P>Thanks Iguinn, <BR /> Maybe I wasn't clear enough, <BR /> The loadbalancer stamps each incoming request with uuid, passing it along to the next service. So it would be nice to show the average transaction time for the entire service-path (not particulary by any specific uuid), as well as the time between each service as you suggested - it works <BR /> Regarding "missing" parts, for easyness, just the number of events in each transaction would be nice, any deviation would be even nicer (I know for sure any service-path should have atleast "hits" with the same uuid statement)<BR /> X-axis could be time, an y-axis could be a barchart split by duration of each transaction (ie time between events/host)</P> <P>brgds<BR /> kristen</P> Fri, 22 Jan 2016 08:50:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240314#M71414 kritho 2016-01-22T08:50:23Z https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240315#M71415 <P><STRONG>Updated answer</STRONG></P> <P>If you just want an average then</P> <PRE><CODE> yoursearchhere | stats range(_time) as total_time by uuid | stats avg(total_time) as "Average Transaction Time" </CODE></PRE> <P>Average time between sources/steps for each uuid:</P> <PRE><CODE> yoursearchhere | streamstats range(_time) as total_time earliest(step) as completed_step current=t window=2 global=f by uuid | stats avg(total_time) as average_time by completed_step </CODE></PRE> <P>For the potentially "missing steps", try this</P> <PRE><CODE> yoursearchhere | stats count by uuid | eventstats avg(total_time) as avg | where count &lt; avg </CODE></PRE> <P>Even fancier, show all the steps for UUIDs that may have missing steps</P> <PRE><CODE>yoursearchhere [ search yoursearchhereagain | stats count by uuid | eventstats avg(total_time) as avg | where count &lt; avg | fields uuid ] | sort uuid _time </CODE></PRE> <P>The last search will not work if there are thousands of UUIDs with missing steps.</P> Fri, 22 Jan 2016 16:58:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240315#M71415 lguinn2 2016-01-22T16:58:50Z https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240316#M71416 <P>Excellent. This works! tx</P> Fri, 22 Jan 2016 21:09:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-transactions-across-different-hosts-with-with-the/m-p/240316#M71416 kritho 2016-01-22T21:09:23Z