https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257215#M77022 <P>Hi Sundar,</P> <P>I tried to execute the above it is trying to fetch data but I am unable to understand the duration logic</P> <P>Is this in mill sec? The response can't be 0.0. I want <STRONG>request</STRONG> followed by <STRONG>response</STRONG><BR /> I felt it pick anything with request and response. Please check <STRONG>jmsListenerA-10</STRONG></P> <PRE><CODE>thread direction duration jmsListenerA-7 response jmsListenerB-16 request 0.000 jmsListenerB-16 response 1.280 jmsListenerA-12 request 2.802 jmsListenerA-12 response 3.521 jmsListenerB-7 request 4.361 jmsListenerB-7 response 4.795 jmsListenerB-27 request 5.579 jmsListenerB-27 response 47.066 jmsListenerA-10 request 48.289 jmsListenerA-27 request 54.968 jmsListenerA-10 response 55.055 jmsListenerA-27 response 56.150 jmsListenerA-12 request jmsListenerA-12 response 0.000 jmsListenerB-12 request 56.273 jmsListenerB-18 request 66.584 jmsListenerB-18 response 67.584 jmsListenerB-12 response 68.249 jmsListenerA-12 request </CODE></PRE> Tue, 12 Jul 2016 05:14:26 GMT saradachelluboy 2016-07-12T05:14:26Z https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257212#M77019 <P>Hi All,</P> <P>Transaction duration based on thread name. I wrote the below search:</P> <PRE><CODE>index="p" sourcetype="x" | transaction host startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:" </CODE></PRE> <P>It is picking up the duration from <STRONG>jmsListenerA-10</STRONG> request and <STRONG>jmsListenerA-11</STRONG> response which is not valid. Could some one pls help?</P> <P>This is multi threaded and data is not sequential, only identification is thread name i.e. jmsListenerA-10. once the response ends the thread will be reused again.</P> <P>Log Data:</P> <PRE><CODE>INFO | 2016-07-12 02:05:03,556 | jmsListenerA-10 | au.com.xxx.LoggingMessageConverter | request: &lt;?xml version="1.0" encoding="UTF-8"?&gt;&lt;urn:CorrelationId&gt;11111&lt;/urn:CorrelationId&gt; INFO | 2016-07-12 02:05:03,589 | jmsListenerA-10 | au.com.xxx.PGService | Number of transaction builder errors: 0 INFO | 2016-07-12 02:05:03,757 | jmsListenerA-10 | au.com.xxx.PGService | This Transaction is of type: INFO | 2016-07-12 02:05:04,297 | jmsListenerA-11| au.com.xxx.LoggingMessageConverter | response: &lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;&lt;ns11:CorrelationId&gt;22222&lt;/ns11:CorrelationId&gt; INFO | 2016-07-12 02:05:03,820 | jmsListenerA-10 | au.com.xxx.ProviderResponseJpa | Executing findProviderResponse INFO | 2016-07-12 02:05:03,919 | jmsListenerA-10 | au.com.xxx.creditcard.provider.webpay.WebpayApiProviderImpl | request: Transaction Bundle INFO | 2016-07-12 02:05:04,199 | jmsListenerA-10 | au.com.xxx.creditcard.provider.webpay.WebpayApiProviderImpl | response: Transaction Bundle INFO | 2016-07-12 02:05:04,216 | jmsListenerA-10 | au.com.xxx.ProviderResponseJpa | Executing findProviderResponse INFO | 2016-07-12 02:05:04,297 | jmsListenerA-10 | au.com.xxx.LoggingMessageConverter | response: &lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;&lt;ns11:CorrelationId&gt;11111&lt;/ns11:CorrelationId&gt; </CODE></PRE> Mon, 11 Jul 2016 23:33:09 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257212#M77019 saradachelluboy 2016-07-11T23:33:09Z https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257213#M77020 <P>Transaction is not the best command for this. Try this approach instead</P> <PRE><CODE>index="p" sourcetype="x" | rex "(?&lt;thread&gt;jmsListener-\d+)" | rex "(?&lt;direction&gt;request|response)" | reverse | streamstats count as txn by host thread direction | streamstats current=f range(_time) as duration by txn | table host thread direction duration </CODE></PRE> Mon, 11 Jul 2016 23:46:44 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257213#M77020 sundareshr 2016-07-11T23:46:44Z https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257214#M77021 <P>It seems that you need to extract the values of <CODE>jmsListenerA-NN</CODE> into a field such as <CODE>jmsListener</CODE>. </P> <P>Your command can then be - </P> <PRE><CODE>index="p" sourcetype="x" | transaction jmsListener startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:" </CODE></PRE> Mon, 11 Jul 2016 23:49:37 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257214#M77021 ddrillic 2016-07-11T23:49:37Z https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257215#M77022 <P>Hi Sundar,</P> <P>I tried to execute the above it is trying to fetch data but I am unable to understand the duration logic</P> <P>Is this in mill sec? The response can't be 0.0. I want <STRONG>request</STRONG> followed by <STRONG>response</STRONG><BR /> I felt it pick anything with request and response. Please check <STRONG>jmsListenerA-10</STRONG></P> <PRE><CODE>thread direction duration jmsListenerA-7 response jmsListenerB-16 request 0.000 jmsListenerB-16 response 1.280 jmsListenerA-12 request 2.802 jmsListenerA-12 response 3.521 jmsListenerB-7 request 4.361 jmsListenerB-7 response 4.795 jmsListenerB-27 request 5.579 jmsListenerB-27 response 47.066 jmsListenerA-10 request 48.289 jmsListenerA-27 request 54.968 jmsListenerA-10 response 55.055 jmsListenerA-27 response 56.150 jmsListenerA-12 request jmsListenerA-12 response 0.000 jmsListenerB-12 request 56.273 jmsListenerB-18 request 66.584 jmsListenerB-18 response 67.584 jmsListenerB-12 response 68.249 jmsListenerA-12 request </CODE></PRE> Tue, 12 Jul 2016 05:14:26 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257215#M77022 saradachelluboy 2016-07-12T05:14:26Z https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257216#M77023 <PRE><CODE>index="p" sourcetype=x | rex "(?&lt;thread&gt;jmsListener\w-\d+)" | transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:" | table thread duration </CODE></PRE> <P>Working fine mixed sundareshr regular expression with transaction works perfect</P> <P>Thanks to both</P> Tue, 12 Jul 2016 06:12:40 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257216#M77023 saradachelluboy 2016-07-12T06:12:40Z https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257217#M77024 <P>Beautiful thing!!! </P> Tue, 12 Jul 2016 10:45:16 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-duration-in-Splunk/m-p/257217#M77024 ddrillic 2016-07-12T10:45:16Z