I want to check the duration time of my transaction in specific time interval. i.e. some customers might complaint that on that date or date range the system was slow and naturally one would like to see what is going on.

So all my transactions are "splunk friendly (I think)". Here is the example of transaction (mock data but real structure) :

[linenumber-1] 2012-06-14 23:58:59,964 INFO  http-bio-8080-exec-48 decider.MyRules (MyRules.java:59)     - Creating processing rules for customerId=222

[linenumber-2]2012-06-14 23:59:59,962 INFO  http-bio-8080-exec-48 decider.Exectuor (Exectuor.java:31)     - Executing Customer rules with adapter = [...somestring....]

[linenumber-3]2012-06-14 23:59:59,963 INFO  http-bio-8080-exec-48 cache.CacheAdapter (CacheAdapter.java:137)     - Retreiving cache value for customerId=222.

[linenumber-4]2012-06-14 23:59:59,964 INFO  priorityThread-1 publish.QpidDispatcherImpl (QpidDispatcherImpl.java:98)     - Completed with no Exceptions and sent to queue[queue name]

I don't know why lines keep breaking. So I added [linenumber] to each line number just so you know those are not parts of my logs.

So every line contains request id which then can be used for splunk transaction.

I extract my fields like this. I didn't paste because I couldn't format it correctly in this text editor and information would be incomplete.

So I'd like to use TRANSACTION_REQUEST_ID as my transaction field, which is equivalent to (3fa71f04-797e-4b94-b30c-736d3bc28ee7) in example above.

My ultimate goal is to get execution times per transaction. But I've started with something more simple but unfortunately no luck so far, here are the contents of my search box :

source="/logs/serverName_8080/catalina.out" earliest=06/14/2012:0:0:0 latest=06/15/2012:0:0:0 | transaction fields="TRANSACTION_REQUEST_ID"

But so far I'm not managing to hit any results. Can I get some help please?

Question update :

I did manage to get some results but no way to calculate the transaction execution time which is just frustrating after spending almost a day on this.

I went trough these questions :

http://splunk-base.splunk.com/answers/4381/can-splunk-help-me-further-analyzerefine-the-durations-of...

http://splunk-base.splunk.com/answers/13425/how-to-mesure-the-duration-of-unfinished-and-uncompleted...

http://splunk-base.splunk.com/answers/12860/sla-monitoring-percentage-of-slow-transactions

http://splunk-base.splunk.com/answers/25933/how-can-i-report-on-incomplete-transactions

http://splunk-base.splunk.com/answers/11730/duration-data-not-returning-properly-in-a-transaction

http://splunk-base.splunk.com/answers/103/transaction-vs-stats-commands

And I didn't find what I was looking for. I though this would get me towards my goal (it looked promising) :

source="/logs/serverName_8080/catalina.out" earliest=06/14/2012:0:0:0 latest=06/15/2012:0:0:0 | transaction fields="TRANSACTION_REQUEST_ID" keepevicted=true maxevents=10000 | rangemap field=duration 0-10=0-10 11-100=11-100 100-500=100-500 default=500+ | stats count by range

I though this would give me times in seconds but these were some times "made up" or what not.

If you look at the example above the result of duration should be some ~60 seconds or so. And if I could sort the transactions by range that would be even better. But for now I'd like to do anything successfully. thanks