Archive
Highlighted

How to get statistics from few rows with the same task id?

New Member

Hi,

I have few rows in 1 log:

2018-01-25 13:49:40,107 INFO  [com.wss.service.agent.AgentServlet] (default task-46) ************************* Start handling request *************************
2018-01-25 13:49:40,107 INFO  [com.wss.service.agent.AgentServlet] (default task-46) coming from 10.10.10.10
2018-01-25 13:49:40,183 INFO  [com.wss.service.agent.AgentServlet] (default task-46) Handling request 
com.wss.service.agent.impl.AgentRequestParams@429a71c5[
  type=XXXX
  agent=QQQQ
  agentVersion=1.0
  pluginVersion=2.0
  domainToken=bc08304288fb47769288afdf9044ae0155hgg654
  product=ZZZZZ
  productVersion=3.0
  timestamp=Thu Jan 25 13:49:39 GMT+02:00 2018
  requesterEmail=splunk@ws.com
  projectInfos=AgentProjectInfo@2ae7c61a[coordinates= Coordinates@3f30d63a[groupId= null,artifactId= AAAAAAA,version= null ],parentCoordinates= null,projectToken= null ]
]
2018-01-25 13:49:40,183 INFO  [com.wss.service.agent.AgentServlet] (default task-46) request type is UPDATE
2018-01-25 13:49:40,228 INFO  [com.wss.service.agent.impl.AgentServiceImpl] (default task-46) updating domain: DomainName, product: ProductName
2018-01-25 13:49:40,266 DEBUG [com.wss.service.agent.impl.AgentServiceWorkManagerImpl] (default task-46) Updating inventory for BBBBBBB
2018-01-25 13:49:40,266 DEBUG [com.wss.service.agent.impl.AgentServiceWorkManagerImpl] (default task-46) New UpdateInventoryTask for DomainName
2018-01-25 13:49:40,266 DEBUG [com.wss.service.agent.AgentServlet] (default task-46) writing result
2018-01-25 13:49:40,267 INFO  [org.perf4j.TimingLogger] (default task-46) start[1516880980107] time[159] tag[Agent Request]
2018-01-25 13:49:40,267 INFO  [com.wss.service.agent.AgentServlet] (default task-46) ************************* Handling request finished *************************

These rows describe a task (there are a lot of tasks with different types)
The task has TaskID - 46 in this example
How can we get a statistics on the tasks (how many times it was executed, duration, etc.) by type of task or agent

Thanks for the help

Tags (2)
0 Karma
Highlighted

Re: How to get statistics from few rows with the same task id?

Ultra Champion

Have a look at the transaction command. That should give you the tools you need to do what you want to do.

For example:

...base search that returns these events...
| transaction TaskID startswith="Start handling request" endswith="Handling request finished"

The transactions that result from this will have a duration field, you can also append a stats command to this search to count number of transactions (by TaskID) etc.

0 Karma
Highlighted

Re: How to get statistics from few rows with the same task id?

New Member

Thanks for your answer, was extremely helpful.

with this transaction, how can i find similar transactions that have a startwith="Start handling request" but dont have endswith (transaction that didnt finished yet.

Thanks,
Nir

0 Karma
Highlighted

Re: How to get statistics from few rows with the same task id?

Ultra Champion

You can leave out those startswith and endswith parts if needed.

PS: you might want to change your 'answer' to a comment and if my answer (or the answer of @niketnilay below) works for you, appreciated if you mark it as accepted, such that it is clear this question was answered 🙂

0 Karma
Highlighted

Re: How to get statistics from few rows with the same task id?

Legend

@niroren, for your case, you are better off running a stats command instead of transaction to perform the correlation:

 <YourBaseSearch> "Start handling request" OR "Handling request finished"
| eval status=case(searchmatch("Start handling request"),"Start",searchmatch("Handling request finished"),"Finished")
| stats count as eventcount first(_time) as startTime last(_time) as endTime values(status) as status by TaskID
| eval duration=endTime-startTime
| fieldformat startTime=strftime(startTime,"%Y-%m-%d %H:%M:%S")
| fieldformat endTime=strftime(endTime,"%Y-%m-%d %H:%M:%S")
| search eventcount=1 AND status!="Finished"

PS: Make sure TaskID is transaction ID and not something like Thread ID which may repeat over time, otherwise your search would need to be change to find correct matches.




| eval message="Happy Splunking!!!"


View solution in original post

0 Karma