Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I modify my search to create a visualization from transaction id events?

friscos
Explorer
‎09-16-2016 01:23 PM

Hi,

I am searching the logs to trace the events in the log files for a given transaction id.

I see the results from two servers, the flow is like this:

Transaction id 'T10001' produced 6 events.


 9/16/16
11:42:43.000 AM    T10001   host=server1   source=app1.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server2   source=app2.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server2   source=app2.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server2   source=app2.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server2   source=app2.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server1   source=app1.log   sourcetype=applog

I want to visualize these transactions, but currently my visualization tab says 'Your search isn't generating any statistic or visualization results. Here are some possible ways to get results.'

How do I change my search to visualize these transactional events?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-17-2016 05:07 AM

I'm going to assume there's a lot of these events with various transaction ids.

First off, though, I see no indication that Splunk has parsed your transaction ids properly. Most of the fields in the events are probably fine, so use the field extractor at the bottom left of the stuff on your screen and build your own (under the fields - "extract new fields" I think it says).

  • Click the button or link to start the field extractor
  • Pick any event with the Transaction ID in it to use as your sample
  • Select to use the regex way (not delimited)
  • Drag your mouse over the transaction ID portion to highlight it
  • Name it TransID in the popup
  • Look around at the validation stuff to make sure it looks right
  • Save it.

This new field TransID should have values like T10001, T10002 or whatever. You'll want to NOT search for a specific transaction id at this time, so remove any "T1001" or whatever in your search string.

Now, once you have that field, find it on the left. Try clicking it to see a simple breakdown of how often it occurs and whatnot. At the top of that fly-out menu, click "top values by time" and then you'll have a visualization. You might have to flip between statistics tabs and visualization tabs to see it.

At this time, you'll have a search vaguely like 

index=X sourcetype=X <maybe some other stuff> | timechart count by TransID

You can add and modify from there. Here's the docs for timechart and all the other commands.

I agree with sundareshr and somesoni2 in their implication we're a little shy on information or descriptions of what it is you are really after, so this is obviously not specific but more of a general "let me help you get started". If you have a very specific thing you'd like to see and can describe it for us in a way that we can figure out what that thing is, we can probably help you do that.

Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-17-2016 05:07 AM

I'm going to assume there's a lot of these events with various transaction ids.

First off, though, I see no indication that Splunk has parsed your transaction ids properly. Most of the fields in the events are probably fine, so use the field extractor at the bottom left of the stuff on your screen and build your own (under the fields - "extract new fields" I think it says).

  • Click the button or link to start the field extractor
  • Pick any event with the Transaction ID in it to use as your sample
  • Select to use the regex way (not delimited)
  • Drag your mouse over the transaction ID portion to highlight it
  • Name it TransID in the popup
  • Look around at the validation stuff to make sure it looks right
  • Save it.

This new field TransID should have values like T10001, T10002 or whatever. You'll want to NOT search for a specific transaction id at this time, so remove any "T1001" or whatever in your search string.

Now, once you have that field, find it on the left. Try clicking it to see a simple breakdown of how often it occurs and whatnot. At the top of that fly-out menu, click "top values by time" and then you'll have a visualization. You might have to flip between statistics tabs and visualization tabs to see it.

At this time, you'll have a search vaguely like 

index=X sourcetype=X <maybe some other stuff> | timechart count by TransID

You can add and modify from there. Here's the docs for timechart and all the other commands.

I agree with sundareshr and somesoni2 in their implication we're a little shy on information or descriptions of what it is you are really after, so this is obviously not specific but more of a general "let me help you get started". If you have a very specific thing you'd like to see and can describe it for us in a way that we can figure out what that thing is, we can probably help you do that.

Happy Splunking!

Reply
Solved! Jump to solution

friscos
Explorer
‎09-19-2016 09:45 AM

Thanks everyone for your help. I am now able to see the visualizations.

Here is what i am trying to achieve, I have a transaction that passes through 4 different webservices hosted on 4 different servers. I am trying to trace the transactions and visualize it on a graph. I have installed Sankey plugin for displaying the transactional flow.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎09-19-2016 06:16 PM

Oh, great! Sounds like this helped get you on your way.

The Sankey plugin/visualization may take a little playing, but hopefully this will get you started.

If you can't figure that out, I'd suggest creating a new Question that's specifically for that to keep it easy for others to search later. In that new question, tell us what you've tried, give us a few rows of your data if you can and as good of an description of what you are trying to accomplish as you can and I'm sure someone more familiar with those sorts of visualizations may chime in and help.

Happy Splunking!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-16-2016 02:33 PM

How about doing some reading on different options available and how to use them here...
http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Visualizationreference

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-16-2016 02:07 PM

How would you like to visualize these events?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...