- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am searching the logs to trace the events in the log files for a given transaction id.
I see the results from two servers, the flow is like this:
Transaction id 'T10001' produced 6 events.
9/16/16
11:42:43.000 AM T10001 host=server1 source=app1.log sourcetype=applog
9/16/16
11:42:43.000 AM T10001 host=server2 source=app2.log sourcetype=applog
9/16/16
11:42:43.000 AM T10001 host=server2 source=app2.log sourcetype=applog
9/16/16
11:42:43.000 AM T10001 host=server2 source=app2.log sourcetype=applog
9/16/16
11:42:43.000 AM T10001 host=server2 source=app2.log sourcetype=applog
9/16/16
11:42:43.000 AM T10001 host=server1 source=app1.log sourcetype=applog
I want to visualize these transactions, but currently my visualization tab says 'Your search isn't generating any statistic or visualization results. Here are some possible ways to get results.'
How do I change my search to visualize these transactional events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm going to assume there's a lot of these events with various transaction ids.
First off, though, I see no indication that Splunk has parsed your transaction ids properly. Most of the fields in the events are probably fine, so use the field extractor at the bottom left of the stuff on your screen and build your own (under the fields - "extract new fields" I think it says).
- Click the button or link to start the field extractor
- Pick any event with the Transaction ID in it to use as your sample
- Select to use the regex way (not delimited)
- Drag your mouse over the transaction ID portion to highlight it
- Name it TransID in the popup
- Look around at the validation stuff to make sure it looks right
- Save it.
This new field TransID should have values like T10001, T10002 or whatever. You'll want to NOT search for a specific transaction id at this time, so remove any "T1001" or whatever in your search string.
Now, once you have that field, find it on the left. Try clicking it to see a simple breakdown of how often it occurs and whatnot. At the top of that fly-out menu, click "top values by time" and then you'll have a visualization. You might have to flip between statistics tabs and visualization tabs to see it.
At this time, you'll have a search vaguely like
index=X sourcetype=X <maybe some other stuff> | timechart count by TransID
You can add and modify from there. Here's the docs for timechart and all the other commands.
I agree with sundareshr and somesoni2 in their implication we're a little shy on information or descriptions of what it is you are really after, so this is obviously not specific but more of a general "let me help you get started". If you have a very specific thing you'd like to see and can describe it for us in a way that we can figure out what that thing is, we can probably help you do that.
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm going to assume there's a lot of these events with various transaction ids.
First off, though, I see no indication that Splunk has parsed your transaction ids properly. Most of the fields in the events are probably fine, so use the field extractor at the bottom left of the stuff on your screen and build your own (under the fields - "extract new fields" I think it says).
- Click the button or link to start the field extractor
- Pick any event with the Transaction ID in it to use as your sample
- Select to use the regex way (not delimited)
- Drag your mouse over the transaction ID portion to highlight it
- Name it TransID in the popup
- Look around at the validation stuff to make sure it looks right
- Save it.
This new field TransID should have values like T10001, T10002 or whatever. You'll want to NOT search for a specific transaction id at this time, so remove any "T1001" or whatever in your search string.
Now, once you have that field, find it on the left. Try clicking it to see a simple breakdown of how often it occurs and whatnot. At the top of that fly-out menu, click "top values by time" and then you'll have a visualization. You might have to flip between statistics tabs and visualization tabs to see it.
At this time, you'll have a search vaguely like
index=X sourcetype=X <maybe some other stuff> | timechart count by TransID
You can add and modify from there. Here's the docs for timechart and all the other commands.
I agree with sundareshr and somesoni2 in their implication we're a little shy on information or descriptions of what it is you are really after, so this is obviously not specific but more of a general "let me help you get started". If you have a very specific thing you'd like to see and can describe it for us in a way that we can figure out what that thing is, we can probably help you do that.
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone for your help. I am now able to see the visualizations.
Here is what i am trying to achieve, I have a transaction that passes through 4 different webservices hosted on 4 different servers. I am trying to trace the transactions and visualize it on a graph. I have installed Sankey plugin for displaying the transactional flow.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, great! Sounds like this helped get you on your way.
The Sankey plugin/visualization may take a little playing, but hopefully this will get you started.
If you can't figure that out, I'd suggest creating a new Question that's specifically for that to keep it easy for others to search later. In that new question, tell us what you've tried, give us a few rows of your data if you can and as good of an description of what you are trying to accomplish as you can and I'm sure someone more familiar with those sorts of visualizations may chime in and help.
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about doing some reading on different options available and how to use them here...
http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Visualizationreference
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would you like to visualize these events?