Splunk Search

How can I use transaction to break down the sub processes of a duration?

New Member

I have numerous exposures captured in the log with minimaly structured data like the following.

.
.
2017/12/11 13:06:33.156 S_LOG VIDEO Exposure(): entered
.
.
2017/12/11 13:06:33.234 S_LOG VIDEO Process A start
.
.
2017/12/11 13:06:34.796 S_LOG VIDEO Process A end
.
.
.
2017/12/11 13:06:35.210 S_LOG VIDEO Process B start
.
2017/12/11 13:06:35.952 S_LOG VIDEO Process B end
.
.
2017/12/11 13:06:37.077 S_LOG VIDEO Exposure(): exit
.
.

I can get a nice chart of the overall exposure durations with something like the following.

<search> | transaction VIDEO startswith="Exposure(): entered" endswith="Exposure(): exit" | chart count by duration

But what I would really like to get is a more detailed chart showing on average how much of the duration is composed by each of the sub process A,B,C,...
A Pie chart maybe...

I've been reading through the Transaction documentation, but I'm getting lost in the details... All help appreciated.

0 Karma

SplunkTrust
SplunkTrust

Give this a try (field extraction needs to be adjusted per your need)

your search 
| rex "^(\S+\s+){4}Process (?<ProcessName>\S+)\s+(?<event_type>(start|end))"
| where isnotnull(event_type)
| chart values(_time) over ProcessName by event_type | eval duration=end-start
| table ProcessName duration
0 Karma

Super Champion

I think streamstats is right up your alley. this is just a rough draft, you'll have to mess with it depending on your variables and whatnot.

|makeresults|eval data="date=1512983193,type=VIDEO,session=Exposure_Entered date=1512983196,type=VIDEO,session=Process_A_Start date=1512983206,type=VIDEO,session=Process_A_End date=1512983300,type=VIDEO,session=Process_B_Start date=1512983345,type=VIDEO,session=Process_B_End date=1512983450,type=VIDEO,session=Exposure_Exit"|makemv data|mvexpand data|rename data as _raw|kv|rename date as _time|table _time type session|sort 0 _time|streamstats window=1 current=f values(session) as prev_session values(_time) as prev_time by type|eval duration=if(like(session,"%End"),_time-prev_time,null())

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Streamstats

0 Karma