Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate Transaction Duration

indeed_2000
Motivator
‎07-17-2021 01:32 AM

Hi

i have log file like this:

 

2021-07-15 00:00:01,869 INFO client.InEE-server1-1234567 [AppListener] Receive Message[A123]: Q[p1.APP], IID[null], Cookie[{"NODE_SRC":"server0"}]

2021-07-15 00:00:01,871 INFO client.InEE-server1-1234567 [AlnProcessorService] Normal Message Received: A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server1]

2021-07-15 00:00:01,892 INFO client.InEE-server1-1234567 [TransactionProcessorService] Message Processed: A[000] TA[client.OutEE-server2] Status[OK-GO,NEXT]

2021-07-15 00:00:01,988 INFO APP.InEE-server1-1234567 [AaaPowerManager] Send Message [X0000A0000] to [APP.p2] with IID[null], LTE[00000]
.
.

.
2021-07-15 00:00:11,714 INFO APP.InE-p2-9876543 [AppListener] Receive Message[Y000000Z00000]: Q[p2.APP], IID[null], Cookie[null

2021-07-15 00:00:11,719 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Normal Message Received:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] SA[client.InEE-server2]

2021-07-15 00:00:11,736 INFO client.InEE-server2-9876543_client.InEE-server1-1234567 [TransactionProcessorService] Message Processed:A[000] B[00000] CD[00000-000000] EF[00:0000] GH[ 0000] TA[client.OutEE-server1] Status[OK-OUT,null]
.
2021-07-15 00:00:11,747 INFO APP.InEE-P2-9876543_CLIENT.InEE-server1-1234567 [AaaPowerManager] Send Message [A123] to [APP.p1] with IID[null], LTE[00000]




Here is the flow:

step1 (Receive Request):

Server0> Client.InEE-server1>Client.OutEE-server2>  

step2 (Reply to request)

Client.InEE-server2> Client.OutEE-server1

 


expected result:

id                                            Source                                   destination                                 State                   duration

1234567                            Server0                                  Client.InEE-server1                Received          00:00:00:002

1234567                            -                                                 -                                                      Processed        00:00:00:021

1234567,9876543        -                                                Client.InEE-server2               Send                    00:00:00:096

9876543                            Client.InEE-server2          -                                                     Receive              00:00:09:726

9876543                            -                                                  -                                                     Received           00:00:00:005

9876543                            -                                                 -                                                      Processed        00:00:00:017

9876543,1234567        -                                                Client.OutEE-server1            Send                    00:00:00:011

Total duration                                                                                                                                                           00:00:09:878


      

FYI:  SA=source address, TA=target address 

Any idea 

Thanks,

Labels (6)
0 Karma
Reply

efika
Communicator
‎07-17-2021 07:31 AM

@indeed_2000 , what I wrote below is the complete SPL command assuming id and State are the correct fields just like you described.

0 Karma
Reply

indeed_2000
Motivator
‎07-17-2021 07:39 AM

actually i want full SPL commands, because one of the problem is that I can’t extract fields on table.

 Thanks 

0 Karma
Reply

efika
Communicator
‎07-17-2021 12:15 PM

@indeed_2000 ,

What system/app is generating this logs ? did you try to find a TA on Splunkbase for it ?

At any rate, based on the logs you attached, this is what I came up with :

 

| rex "\-(?<id>\d+)\s*(\[|\_).*\-(?<id2>\d+)\s*(\[|\_)" 
| rex "(?<State>(Receive|Send|Received|Processed))(\s+Message|\:)" 
| transaction id startswith=(State=Received) endswith=(State=Send)
0 Karma
Reply

indeed_2000
Motivator
‎07-17-2021 02:34 PM

it's a custom app unfortunately there is no TA for that.

after run what you mention get this result 

id                    id2              duration

9876543    1234567    00:00:00:028

 

seems just apply for last part.

any idea?

thank

0 Karma
Reply

efika
Communicator
‎07-17-2021 02:34 AM

Hi @indeed_2000 ,

You can use the transaction command:

transaction id  startswith=(State=Received) endswith=(State=Send)

The duration field will be created for you by the command.

 

0 Karma
Reply

indeed_2000
Motivator
‎07-17-2021 07:16 AM

@efika Thank you for answer,

would you please tell me complete SPL command?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...