Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calculate Transaction Duration

indeed_2000
Motivator
‎07-17-2021 01:32 AM

Hi

i have log file like this:

 

2021-07-15 00:00:01,869 INFO client.InEE-server1-1234567 [AppListener] Receive Message[A123]: Q[p1.APP], IID[null], Cookie[{"NODE_SRC":"server0"}]

2021-07-15 00:00:01,871 INFO client.InEE-server1-1234567 [AlnProcessorService] Normal Message Received: A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server1]

2021-07-15 00:00:01,892 INFO client.InEE-server1-1234567 [TransactionProcessorService] Message Processed: A[000] TA[client.OutEE-server2] Status[OK-GO,NEXT]

2021-07-15 00:00:01,988 INFO APP.InEE-server1-1234567 [AaaPowerManager] Send Message [X0000A0000] to [APP.p2] with IID[null], LTE[00000]
.
.

.
2021-07-15 00:00:11,714 INFO APP.InE-p2-9876543 [AppListener] Receive Message[Y000000Z00000]: Q[p2.APP], IID[null], Cookie[null

2021-07-15 00:00:11,719 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Normal Message Received:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server2]

2021-07-15 00:00:11,736 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Message Processed:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] TA[client.OutEE-server1] Status[OK-OUT,null]
.
2021-07-15 00:00:11,747 INFO APP.InEE-P2-9876543_CLIENT.InEE-server1-1234567 [AaaPowerManager] Send Message [A123] to [APP.p1] with IID[null], LTE[00000]




Here is the flow:

step1 (Receive Request):

Server0> Client.InEE-server1>Client.OutEE-server2>  

step2 (Reply to request)

Client.InEE-server2> Client.OutEE-server1

 


expected result:

id                                            Source                                   destination                                 State                   duration

1234567                            Server0                                  Client.InEE-server1                Received          00:00:00:002

1234567                            -                                                 -                                                      Processed        00:00:00:021

1234567,9876543        -                                                Client.InEE-server2               Send                    00:00:00:096

9876543                            Client.InEE-server2          -                                                     Receive              00:00:09:726

9876543                            -                                                  -                                                     Received           00:00:00:005

9876543                            -                                                 -                                                      Processed        00:00:00:017

9876543,1234567        -                                                Client.OutEE-server1            Send                    00:00:00:011

Total duration                                                                                                                                                           00:00:09:878


      

FYI:  SA=source address, TA=target address 

Any idea 

Thanks,

Labels (6)
0 Karma
Reply

efika
Communicator
‎07-17-2021 07:31 AM

@indeed_2000 , what I wrote below is the complete SPL command assuming id and State are the correct fields just like you described.

0 Karma
Reply

indeed_2000
Motivator
‎07-17-2021 07:39 AM

actually i want full SPL commands, because one of the problem is that I can’t extract fields on table.

 Thanks 

0 Karma
Reply

efika
Communicator
‎07-17-2021 12:15 PM

@indeed_2000 ,

What system/app is generating this logs ? did you try to find a TA on Splunkbase for it ?

At any rate, based on the logs you attached, this is what I came up with :

 

| rex "\-(?<id>\d+)\s*(\[|\_).*\-(?<id2>\d+)\s*(\[|\_)" 
| rex "(?<State>(Receive|Send|Received|Processed))(\s+Message|\:)" 
| transaction id startswith=(State=Received) endswith=(State=Send)
0 Karma
Reply

indeed_2000
Motivator
‎07-17-2021 02:34 PM

it's a custom app unfortunately there is no TA for that.

after run what you mention get this result 

id                    id2              duration

9876543    1234567    00:00:00:028

 

seems just apply for last part.

any idea?

thank

0 Karma
Reply

efika
Communicator
‎07-17-2021 02:34 AM

Hi @indeed_2000 ,

You can use the transaction command:

transaction id  startswith=(State=Received) endswith=(State=Send)

The duration field will be created for you by the command.

 

0 Karma
Reply

indeed_2000
Motivator
‎07-17-2021 07:16 AM

@efika Thank you for answer,

would you please tell me complete SPL command?

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...