Dashboards & Visualizations

How do I modify my search to create a visualization from transaction id events?

friscos
Explorer

Hi,

I am searching the logs to trace the events in the log files for a given transaction id.

I see the results from two servers, the flow is like this:

Transaction id 'T10001' produced 6 events.


 9/16/16
11:42:43.000 AM    T10001   host=server1   source=app1.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server2   source=app2.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server2   source=app2.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server2   source=app2.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server2   source=app2.log   sourcetype=applog

 9/16/16
11:42:43.000 AM    T10001   host=server1   source=app1.log   sourcetype=applog

I want to visualize these transactions, but currently my visualization tab says 'Your search isn't generating any statistic or visualization results. Here are some possible ways to get results.'

How do I change my search to visualize these transactional events?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

I'm going to assume there's a lot of these events with various transaction ids.

First off, though, I see no indication that Splunk has parsed your transaction ids properly. Most of the fields in the events are probably fine, so use the field extractor at the bottom left of the stuff on your screen and build your own (under the fields - "extract new fields" I think it says).

  • Click the button or link to start the field extractor
  • Pick any event with the Transaction ID in it to use as your sample
  • Select to use the regex way (not delimited)
  • Drag your mouse over the transaction ID portion to highlight it
  • Name it TransID in the popup
  • Look around at the validation stuff to make sure it looks right
  • Save it.

This new field TransID should have values like T10001, T10002 or whatever. You'll want to NOT search for a specific transaction id at this time, so remove any "T1001" or whatever in your search string.

Now, once you have that field, find it on the left. Try clicking it to see a simple breakdown of how often it occurs and whatnot. At the top of that fly-out menu, click "top values by time" and then you'll have a visualization. You might have to flip between statistics tabs and visualization tabs to see it.

At this time, you'll have a search vaguely like

index=X sourcetype=X <maybe some other stuff> | timechart count by TransID

You can add and modify from there. Here's the docs for timechart and all the other commands.

I agree with sundareshr and somesoni2 in their implication we're a little shy on information or descriptions of what it is you are really after, so this is obviously not specific but more of a general "let me help you get started". If you have a very specific thing you'd like to see and can describe it for us in a way that we can figure out what that thing is, we can probably help you do that.

Happy Splunking!

View solution in original post

Richfez
SplunkTrust
SplunkTrust

I'm going to assume there's a lot of these events with various transaction ids.

First off, though, I see no indication that Splunk has parsed your transaction ids properly. Most of the fields in the events are probably fine, so use the field extractor at the bottom left of the stuff on your screen and build your own (under the fields - "extract new fields" I think it says).

  • Click the button or link to start the field extractor
  • Pick any event with the Transaction ID in it to use as your sample
  • Select to use the regex way (not delimited)
  • Drag your mouse over the transaction ID portion to highlight it
  • Name it TransID in the popup
  • Look around at the validation stuff to make sure it looks right
  • Save it.

This new field TransID should have values like T10001, T10002 or whatever. You'll want to NOT search for a specific transaction id at this time, so remove any "T1001" or whatever in your search string.

Now, once you have that field, find it on the left. Try clicking it to see a simple breakdown of how often it occurs and whatnot. At the top of that fly-out menu, click "top values by time" and then you'll have a visualization. You might have to flip between statistics tabs and visualization tabs to see it.

At this time, you'll have a search vaguely like

index=X sourcetype=X <maybe some other stuff> | timechart count by TransID

You can add and modify from there. Here's the docs for timechart and all the other commands.

I agree with sundareshr and somesoni2 in their implication we're a little shy on information or descriptions of what it is you are really after, so this is obviously not specific but more of a general "let me help you get started". If you have a very specific thing you'd like to see and can describe it for us in a way that we can figure out what that thing is, we can probably help you do that.

Happy Splunking!

friscos
Explorer

Thanks everyone for your help. I am now able to see the visualizations.

Here is what i am trying to achieve, I have a transaction that passes through 4 different webservices hosted on 4 different servers. I am trying to trace the transactions and visualize it on a graph. I have installed Sankey plugin for displaying the transactional flow.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Oh, great! Sounds like this helped get you on your way.

The Sankey plugin/visualization may take a little playing, but hopefully this will get you started.

If you can't figure that out, I'd suggest creating a new Question that's specifically for that to keep it easy for others to search later. In that new question, tell us what you've tried, give us a few rows of your data if you can and as good of an description of what you are trying to accomplish as you can and I'm sure someone more familiar with those sorts of visualizations may chime in and help.

Happy Splunking!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about doing some reading on different options available and how to use them here...
http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Visualizationreference

0 Karma

sundareshr
Legend

How would you like to visualize these events?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...