I'm reviewing debug logs that have some Enter/Exit values for each step of a process. Currently I can calculate the total Transaction duration or the duration of a specific operation within that transaction(Enter/Exit entries), but I'd like to pull these into a single search so that I can calculate the difference in duration from a specific operation vs the total transaction.
My problem seems to be related to getting all my fields to final calculation. Only SID & duration of the outside transaction are coming through.
Here's my search
SomeOperation | transaction SID maxspan=120s maxpause=120s [search host="foo" sourcetype="bar" SID | transaction SID maxspan=120s maxpause=120s | eval total=duration | fields SID, total, _raw] | eval diff=total-duration | fields SID, diff, duration, total
Here's an example of the data I'm looking at:
2010-08-16 12:02:33:221 [26 ] DEBUG SomeApp SID=123 Process: Enter 2010-08-16 12:02:33:221 [26 ] DEBUG SomeApp SID=123 Blah blah blah 2010-08-16 12:02:33:221 [26 ] DEBUG SomeApp SID=123 Blah blah blah 2010-08-16 12:02:33:221 [27 ] DEBUG SomeService SID=123 SomeImportantOperation: Enter 2010-08-16 12:02:34:284 [27 ] DEBUG SomeService SID=123 SomeImportantOperation: Exit 2010-08-16 12:02:35:221 [26 ] DEBUG SomeApp SID=123 Blah blah blah 2010-08-16 12:02:35:221 [26 ] DEBUG SomeApp SID=123 Blah blah blah 2010-08-16 12:02:35:221 [26 ] DEBUG SomeApp SID=123 Process: Exit
I basically want to get the duration of the whole group, plus the duration of SomeImportantOperation. This will allow me to calculate a difference between the two and see whether or not SomeImportantOperation is bogging down the whole transaction. (ie What percentage of the transaction is spent in SomeImportantOperation?)
My search does appear to be working, but my field 'total' does not appear to be making it out of the subsearch (which causes my 'diff' calculation to fail too).
I've never seen a sub-search on a transaction command like this. Is your existing search working? Also, can you give an example of "SomeOperation"? Are you sure you fields are being limited by your "fields" command? Looks like only you are only keeping a 4 of them (your very last command)