Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Detect most delay transactions

indeed_2000
Motivator
‎02-19-2020 11:37 PM

How can I find most delay transactions?
Here is the log file like below, I want to find which transaction delay and sort them descending, show result in table and subtract time stamp and show in front of transaction

Here is the log:

16:30:53:002 start[C1]L[143]F[10]
16:30:54:002 start[C2]L[143]F[20]
16:30:55:002 start[C5]L[143]F[02]
16:30:56:002 start[C12]L[143]F[30]
16:30:57:002 start[C5]L[143]F[7]
16:30:58:002 end[C1]L[143]F[10]
16:30:59:002 start[C1]L[143]F[11]
16:30:60:002 end[C1]L[143]F[11]

Expected output:

Transaction                               Delay 
16:30:53:002 start[C1]L[143]F[10]            5s 
16:30:58:002 end[C1]L[143]F[10]

16:30:59:002 start[C1]L[143]F[10]            1s 
16:30:60:002 end[C1]L[143]F[10]

...

FYI: 1 sometimes we have start without end, or end without start.
2 “F” means footprints, sometimes “F” it might not be unique, so after first “start” we should expect “end”.

Any recommendation?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-21-2020 07:35 AM

Hi @mehrdad_2000, Try this query:

 | makeresults | eval Transaction="16:30:53:002 start[C1]L[143]F[10],16:30:54:002 start[C2]L[143]F[20],16:30:55:002 start[C5]L[143]F[02],16:30:56:002 start[C12]L[143]F[30],16:30:57:002 start[C5]L[143]F[7],16:30:58:002 end[C1]L[143]F[10],16:30:59:002 start[C1]L[143]F[11],16:31:00:002 end[C1]L[143]F[11]" | makemv delim="," Transaction | mvexpand Transaction | rex field=Transaction "(?<time>[\d:]+)\s(?<status>[\w]+)(?<field>.*)" | eventstats count by field | where count=2 | eval time=strptime(time, "%H:%M:%S:%3N") | delta p=1 time as Delay | eval Delay=if(status="end", Delay, "") | table Transaction, Delay

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-21-2020 07:35 AM

Hi @mehrdad_2000, Try this query:

 | makeresults | eval Transaction="16:30:53:002 start[C1]L[143]F[10],16:30:54:002 start[C2]L[143]F[20],16:30:55:002 start[C5]L[143]F[02],16:30:56:002 start[C12]L[143]F[30],16:30:57:002 start[C5]L[143]F[7],16:30:58:002 end[C1]L[143]F[10],16:30:59:002 start[C1]L[143]F[11],16:31:00:002 end[C1]L[143]F[11]" | makemv delim="," Transaction | mvexpand Transaction | rex field=Transaction "(?<time>[\d:]+)\s(?<status>[\w]+)(?<field>.*)" | eventstats count by field | where count=2 | eval time=strptime(time, "%H:%M:%S:%3N") | delta p=1 time as Delay | eval Delay=if(status="end", Delay, "") | table Transaction, Delay
0 Karma
Reply
Solved! Jump to solution

indeed_2000
Motivator
‎02-22-2020 07:09 AM

Thank you this exactly what I want.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-21-2020 12:03 AM 
your search
| rex "(?<time>\S+) (?<status>start|end)(?<id>\[\w+\]L\[\d+\])"
| eval time=strptime(time, "%T:%3Q")
| streamstats count(eval(status="start")) as session by id
| stats list(_raw) as Transaction range(time) as Delay count as flag by session id
| where flag >1
| table Transaction Delay
| eval Delay=tostring(Delay, "duration")
0 Karma
Reply
Solved! Jump to solution

indeed_2000
Motivator
‎02-21-2020 01:17 AM

Please use makeresults

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-21-2020 02:03 AM

why? there is your search, isn't it?

0 Karma
Reply
Solved! Jump to solution

indeed_2000
Motivator
‎02-21-2020 02:12 AM

No result not work as expected, if makeresults add to it i can describe more precisely here.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-21-2020 02:32 AM

Is that so,I'm sorry.

0 Karma
Reply
Solved! Jump to solution

indeed_2000
Motivator
‎02-21-2020 02:51 AM

Seems group all the result, not separate them two by two that dedicate them bye “start” and “end”.
I think footprint (F) and time stamp might help to separate them two by two.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-21-2020 03:07 AM

No such thing.

0 Karma
Reply
Solved! Jump to solution

indeed_2000
Motivator
‎02-21-2020 05:07 AM

Here is the output 

16:30:53:002 start[C1]L[143]F[10]          6s
 16:30:54:002 start[C2]L[143]F[20]
 16:30:55:002 start[C5]L[143]F[02]
 16:30:56:002 start[C12]L[143]F[30]
 16:30:57:002 start[C5]L[143]F[7]
 16:30:59:002 start[C1]L[143]F[11]



16:30:58:002 end[C1]L[143]F[10]       2s
 16:30:60:002 end[C1]L[143]F[11]
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-21-2020 05:19 AM

why another session and id are same multivalue?

0 Karma
Reply
Solved! Jump to solution

indeed_2000
Motivator
‎02-21-2020 01:13 AM

Would you please add makeresults in the first below sample, so I can check output, thanks.

16:30:53:002 start[C1]L[143]F[10]
16:30:54:002 start[C2]L[143]F[20]
16:30:55:002 start[C5]L[143]F[02]
16:30:56:002 start[C12]L[143]F[30]
16:30:57:002 start[C5]L[143]F[7]
16:30:58:002 end[C1]L[143]F[10]
16:30:59:002 start[C1]L[143]F[11]
16:30:60:002 end[C1]L[143]F[11]

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...