Hi,
I have few rows in 1 log:
2018-01-25 13:49:40,107 INFO [com.wss.service.agent.AgentServlet] (default task-46) ************************* Start handling request *************************
2018-01-25 13:49:40,107 INFO [com.wss.service.agent.AgentServlet] (default task-46) coming from 10.10.10.10
2018-01-25 13:49:40,183 INFO [com.wss.service.agent.AgentServlet] (default task-46) Handling request
com.wss.service.agent.impl.AgentRequestParams@429a71c5[
type=XXXX
agent=QQQQ
agentVersion=1.0
pluginVersion=2.0
domainToken=bc08304288fb47769288afdf9044ae0155hgg654
product=ZZZZZ
productVersion=3.0
timestamp=Thu Jan 25 13:49:39 GMT+02:00 2018
requesterEmail=splunk@ws.com
projectInfos=AgentProjectInfo@2ae7c61a[coordinates= Coordinates@3f30d63a[groupId= null,artifactId= AAAAAAA,version= null ],parentCoordinates= null,projectToken= null ]
]
2018-01-25 13:49:40,183 INFO [com.wss.service.agent.AgentServlet] (default task-46) request type is UPDATE
2018-01-25 13:49:40,228 INFO [com.wss.service.agent.impl.AgentServiceImpl] (default task-46) updating domain: DomainName, product: ProductName
2018-01-25 13:49:40,266 DEBUG [com.wss.service.agent.impl.AgentServiceWorkManagerImpl] (default task-46) Updating inventory for BBBBBBB
2018-01-25 13:49:40,266 DEBUG [com.wss.service.agent.impl.AgentServiceWorkManagerImpl] (default task-46) New UpdateInventoryTask for DomainName
2018-01-25 13:49:40,266 DEBUG [com.wss.service.agent.AgentServlet] (default task-46) writing result
2018-01-25 13:49:40,267 INFO [org.perf4j.TimingLogger] (default task-46) start[1516880980107] time[159] tag[Agent Request]
2018-01-25 13:49:40,267 INFO [com.wss.service.agent.AgentServlet] (default task-46) ************************* Handling request finished *************************
These rows describe a task (there are a lot of tasks with different types)
The task has TaskID - 46 in this example
How can we get a statistics on the tasks (how many times it was executed, duration, etc.) by type of task or agent
Thanks for the help
@niroren, for your case, you are better off running a stats command instead of transaction to perform the correlation:
<YourBaseSearch> "Start handling request" OR "Handling request finished"
| eval status=case(searchmatch("Start handling request"),"Start",searchmatch("Handling request finished"),"Finished")
| stats count as eventcount first(_time) as startTime last(_time) as endTime values(status) as status by TaskID
| eval duration=endTime-startTime
| fieldformat startTime=strftime(startTime,"%Y-%m-%d %H:%M:%S")
| fieldformat endTime=strftime(endTime,"%Y-%m-%d %H:%M:%S")
| search eventcount=1 AND status!="Finished"
PS: Make sure TaskID is transaction ID and not something like Thread ID which may repeat over time, otherwise your search would need to be change to find correct matches.
@niroren, for your case, you are better off running a stats command instead of transaction to perform the correlation:
<YourBaseSearch> "Start handling request" OR "Handling request finished"
| eval status=case(searchmatch("Start handling request"),"Start",searchmatch("Handling request finished"),"Finished")
| stats count as eventcount first(_time) as startTime last(_time) as endTime values(status) as status by TaskID
| eval duration=endTime-startTime
| fieldformat startTime=strftime(startTime,"%Y-%m-%d %H:%M:%S")
| fieldformat endTime=strftime(endTime,"%Y-%m-%d %H:%M:%S")
| search eventcount=1 AND status!="Finished"
PS: Make sure TaskID is transaction ID and not something like Thread ID which may repeat over time, otherwise your search would need to be change to find correct matches.
Thanks for your answer, was extremely helpful.
with this transaction, how can i find similar transactions that have a startwith="Start handling request" but dont have endswith (transaction that didnt finished yet.
Thanks,
Nir
You can leave out those startswith and endswith parts if needed.
PS: you might want to change your 'answer' to a comment and if my answer (or the answer of @niketnilay below) works for you, appreciated if you mark it as accepted, such that it is clear this question was answered 🙂
Have a look at the transaction command. That should give you the tools you need to do what you want to do.
For example:
...base search that returns these events...
| transaction TaskID startswith="Start handling request" endswith="Handling request finished"
The transactions that result from this will have a duration field, you can also append a stats command to this search to count number of transactions (by TaskID) etc.