Hello.. I am having a bit of hard time trying to get my head around a report that I am attempting to create.

What I am attempting to do is to produce a report that combines the sub values (processes) of the parent ID. Lets say I have ParentID A which in turn has sub processes A, B & C with duration values against each.

Now, I would like to graph the values so that each ParentID appears as a separate column with its sub (child) processes stacked relative to their duration. Ideally what I want to be able to see is where a process for any transaction has blown out.

So far I have managed to produce a table that displays Conversation ID (parent) Message ID of the sub processes , the sub processes themselves and the duration of each process.

Below is the search query I am running (probably a better way of doing it but with my limited knowledge this is as good as I can get)

sourcetype="evo_logs" 
| transaction MESSAGEID AND USERID 
| table _time, CONVERSATIONID, MESSAGEID, USERID, PROCESS, duration 
| sort CONVERSATIONID, _time

The problem is is that each Conversation (parentID) is split over multiple lines dependant on the number of MessageId or processes.

I am struggling with trying to work out how I can group by Message (parent)ID and then by Process and Duration

Any help that you can offer a complete Splunk newbie would be very much appreciated.

Cheers,

Alastair