Splunk Search

Calculating the duration of a transaction fragment vs. the total transaction

Yancy
Path Finder

I'm reviewing debug logs that have some Enter/Exit values for each step of a process. Currently I can calculate the total Transaction duration or the duration of a specific operation within that transaction(Enter/Exit entries), but I'd like to pull these into a single search so that I can calculate the difference in duration from a specific operation vs the total transaction.

My problem seems to be related to getting all my fields to final calculation. Only SID & duration of the outside transaction are coming through.

Here's my search

SomeOperation | transaction SID maxspan=120s maxpause=120s [search host="foo" sourcetype="bar" SID | transaction SID maxspan=120s maxpause=120s | eval total=duration | fields SID, total, _raw] | eval diff=total-duration | fields SID, diff, duration, total

Edit:

Here's an example of the data I'm looking at:

2010-08-16 12:02:33:221 [26             ] DEBUG SomeApp    SID=123     Process: Enter
2010-08-16 12:02:33:221 [26             ] DEBUG SomeApp    SID=123     Blah blah blah
2010-08-16 12:02:33:221 [26             ] DEBUG SomeApp    SID=123     Blah blah blah
2010-08-16 12:02:33:221 [27             ] DEBUG SomeService SID=123     SomeImportantOperation: Enter
2010-08-16 12:02:34:284 [27             ] DEBUG SomeService SID=123     SomeImportantOperation: Exit
2010-08-16 12:02:35:221 [26             ] DEBUG SomeApp    SID=123     Blah blah blah 
2010-08-16 12:02:35:221 [26             ] DEBUG SomeApp    SID=123     Blah blah blah
2010-08-16 12:02:35:221 [26             ] DEBUG SomeApp    SID=123     Process: Exit

I basically want to get the duration of the whole group, plus the duration of SomeImportantOperation. This will allow me to calculate a difference between the two and see whether or not SomeImportantOperation is bogging down the whole transaction. (ie What percentage of the transaction is spent in SomeImportantOperation?)

My search does appear to be working, but my field 'total' does not appear to be making it out of the subsearch (which causes my 'diff' calculation to fail too).

Tags (1)
1 Solution

Lowell
Super Champion

I've never seen a sub-search on a transaction command like this. Is your existing search working? Also, can you give an example of "SomeOperation"? Are you sure you fields are being limited by your "fields" command? Looks like only you are only keeping a 4 of them (your very last command)

0 Karma

Lowell
Super Champion

Yancy
Path Finder

Confirmed, option one works great. Thanks!

0 Karma

Yancy
Path Finder

This first link looks spot on, will try this out.

0 Karma
Get Updates on the Splunk Community!

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...