Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Grouping related events

ahogbin
Communicator
‎09-15-2013 09:25 PM

Hello.. I am having a bit of hard time trying to get my head around a report that I am attempting to create.

What I am attempting to do is to produce a report that combines the sub values (processes) of the parent ID. Lets say I have ParentID A which in turn has sub processes A, B & C with duration values against each.

Now, I would like to graph the values so that each ParentID appears as a separate column with its sub (child) processes stacked relative to their duration. Ideally what I want to be able to see is where a process for any transaction has blown out.

So far I have managed to produce a table that displays Conversation ID (parent) Message ID of the sub processes , the sub processes themselves and the duration of each process.

Below is the search query I am running (probably a better way of doing it but with my limited knowledge this is as good as I can get)

sourcetype="evo_logs" 
| transaction MESSAGEID AND USERID 
| table _time, CONVERSATIONID, MESSAGEID, USERID, PROCESS, duration 
| sort CONVERSATIONID, _time

The problem is is that each Conversation (parentID) is split over multiple lines dependant on the number of MessageId or processes.

I am struggling with trying to work out how I can group by Message (parent)ID and then by Process and Duration

Any help that you can offer a complete Splunk newbie would be very much appreciated.

Cheers,

Alastair

Tags (1)
0 Karma
Reply

derekarnold
Communicator
‎09-17-2013 08:20 AM

Possibly your events are too far apart in time?
Try experimenting with the maxspan and maxpause commands at the end of your transaction.

Maxspan is the max time between earliest and latest events. Maxpause is the total time between events.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...