Splunk Search

How can I use transaction to break down the sub processes of a duration?

tucker28
New Member

I have numerous exposures captured in the log with minimaly structured data like the following.

.
.
2017/12/11 13:06:33.156 S_LOG VIDEO Exposure(): entered
.
.
2017/12/11 13:06:33.234 S_LOG VIDEO Process A start
.
.
2017/12/11 13:06:34.796 S_LOG VIDEO Process A end
.
.
.
2017/12/11 13:06:35.210 S_LOG VIDEO Process B start
.
2017/12/11 13:06:35.952 S_LOG VIDEO Process B end
.
.
2017/12/11 13:06:37.077 S_LOG VIDEO Exposure(): exit
.
.

I can get a nice chart of the overall exposure durations with something like the following.

<search> | transaction VIDEO startswith="Exposure(): entered" endswith="Exposure(): exit" | chart count by duration

But what I would really like to get is a more detailed chart showing on average how much of the duration is composed by each of the sub process A,B,C,...
A Pie chart maybe...

I've been reading through the Transaction documentation, but I'm getting lost in the details... All help appreciated.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try (field extraction needs to be adjusted per your need)

your search 
| rex "^(\S+\s+){4}Process (?<ProcessName>\S+)\s+(?<event_type>(start|end))"
| where isnotnull(event_type)
| chart values(_time) over ProcessName by event_type | eval duration=end-start
| table ProcessName duration
0 Karma

cmerriman
Super Champion

I think streamstats is right up your alley. this is just a rough draft, you'll have to mess with it depending on your variables and whatnot.

|makeresults|eval data="date=1512983193,type=VIDEO,session=Exposure_Entered date=1512983196,type=VIDEO,session=Process_A_Start date=1512983206,type=VIDEO,session=Process_A_End date=1512983300,type=VIDEO,session=Process_B_Start date=1512983345,type=VIDEO,session=Process_B_End date=1512983450,type=VIDEO,session=Exposure_Exit"|makemv data|mvexpand data|rename data as _raw|kv|rename date as _time|table _time type session|sort 0 _time|streamstats window=1 current=f values(session) as prev_session values(_time) as prev_time by type|eval duration=if(like(session,"%End"),_time-prev_time,null())

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Streamstats

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...