Splunk Search

How can I use transaction to break down the sub processes of a duration?

tucker28
New Member

I have numerous exposures captured in the log with minimaly structured data like the following.

.
.
2017/12/11 13:06:33.156 S_LOG VIDEO Exposure(): entered
.
.
2017/12/11 13:06:33.234 S_LOG VIDEO Process A start
.
.
2017/12/11 13:06:34.796 S_LOG VIDEO Process A end
.
.
.
2017/12/11 13:06:35.210 S_LOG VIDEO Process B start
.
2017/12/11 13:06:35.952 S_LOG VIDEO Process B end
.
.
2017/12/11 13:06:37.077 S_LOG VIDEO Exposure(): exit
.
.

I can get a nice chart of the overall exposure durations with something like the following.

<search> | transaction VIDEO startswith="Exposure(): entered" endswith="Exposure(): exit" | chart count by duration

But what I would really like to get is a more detailed chart showing on average how much of the duration is composed by each of the sub process A,B,C,...
A Pie chart maybe...

I've been reading through the Transaction documentation, but I'm getting lost in the details... All help appreciated.

0 Karma

somesoni2
Revered Legend

Give this a try (field extraction needs to be adjusted per your need)

your search 
| rex "^(\S+\s+){4}Process (?<ProcessName>\S+)\s+(?<event_type>(start|end))"
| where isnotnull(event_type)
| chart values(_time) over ProcessName by event_type | eval duration=end-start
| table ProcessName duration
0 Karma

cmerriman
Super Champion

I think streamstats is right up your alley. this is just a rough draft, you'll have to mess with it depending on your variables and whatnot.

|makeresults|eval data="date=1512983193,type=VIDEO,session=Exposure_Entered date=1512983196,type=VIDEO,session=Process_A_Start date=1512983206,type=VIDEO,session=Process_A_End date=1512983300,type=VIDEO,session=Process_B_Start date=1512983345,type=VIDEO,session=Process_B_End date=1512983450,type=VIDEO,session=Exposure_Exit"|makemv data|mvexpand data|rename data as _raw|kv|rename date as _time|table _time type session|sort 0 _time|streamstats window=1 current=f values(session) as prev_session values(_time) as prev_time by type|eval duration=if(like(session,"%End"),_time-prev_time,null())

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Streamstats

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...