Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transaction duration in Splunk

saradachelluboy
Explorer
‎07-11-2016 04:33 PM

Hi All,

Transaction duration based on thread name. I wrote the below search:

index="p" sourcetype="x" | transaction host startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"

It is picking up the duration from jmsListenerA-10 request and jmsListenerA-11 response which is not valid. Could some one pls help?

This is multi threaded and data is not sequential, only identification is thread name i.e. jmsListenerA-10. once the response ends the thread will be reused again.

Log Data:

INFO  | 2016-07-12 02:05:03,556 | jmsListenerA-10 | au.com.xxx.LoggingMessageConverter | request: <?xml version="1.0" encoding="UTF-8"?><urn:CorrelationId>11111</urn:CorrelationId>
INFO  | 2016-07-12 02:05:03,589 | jmsListenerA-10 | au.com.xxx.PGService | Number of transaction builder errors: 0
INFO  | 2016-07-12 02:05:03,757 | jmsListenerA-10 | au.com.xxx.PGService | This Transaction is of type: 
INFO  | 2016-07-12 02:05:04,297 | jmsListenerA-11| au.com.xxx.LoggingMessageConverter | response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns11:CorrelationId>22222</ns11:CorrelationId>
INFO  | 2016-07-12 02:05:03,820 | jmsListenerA-10 | au.com.xxx.ProviderResponseJpa | Executing findProviderResponse 
INFO  | 2016-07-12 02:05:03,919 | jmsListenerA-10 | au.com.xxx.creditcard.provider.webpay.WebpayApiProviderImpl | request:  Transaction Bundle
INFO  | 2016-07-12 02:05:04,199 | jmsListenerA-10 | au.com.xxx.creditcard.provider.webpay.WebpayApiProviderImpl | response:  Transaction Bundle
INFO  | 2016-07-12 02:05:04,216 | jmsListenerA-10 | au.com.xxx.ProviderResponseJpa | Executing findProviderResponse 
INFO  | 2016-07-12 02:05:04,297 | jmsListenerA-10 | au.com.xxx.LoggingMessageConverter | response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns11:CorrelationId>11111</ns11:CorrelationId>
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎07-11-2016 04:49 PM

It seems that you need to extract the values of jmsListenerA-NN into a field such as jmsListener.

Your command can then be - 

index="p" sourcetype="x" | transaction jmsListener startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎07-11-2016 04:49 PM

It seems that you need to extract the values of jmsListenerA-NN into a field such as jmsListener.

Your command can then be - 

index="p" sourcetype="x" | transaction jmsListener startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"
0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-11-2016 11:12 PM 
index="p" sourcetype=x  | rex "(?<thread>jmsListener\w-\d+)"  | transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"  | table thread duration

Working fine mixed sundareshr regular expression with transaction works perfect

Thanks to both

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-12-2016 03:45 AM

Beautiful thing!!!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-11-2016 04:46 PM

Transaction is not the best command for this. Try this approach instead

index="p" sourcetype="x" | rex "(?<thread>jmsListener-\d+)"  | rex "(?<direction>request|response)" | reverse | streamstats count as txn by host thread direction | streamstats current=f range(_time) as duration by txn | table host thread direction duration
0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-11-2016 10:14 PM

Hi Sundar,

I tried to execute the above it is trying to fetch data but I am unable to understand the duration logic

Is this in mill sec? The response can't be 0.0. I want request followed by response
I felt it pick anything with request and response. Please check jmsListenerA-10

thread                       direction         duration
jmsListenerA-7      response    
jmsListenerB-16     request             0.000  
jmsListenerB-16     response    1.280  
jmsListenerA-12     request     2.802  
jmsListenerA-12     response    3.521  
jmsListenerB-7      request             4.361  
jmsListenerB-7      response    4.795  
jmsListenerB-27     request             5.579  
jmsListenerB-27     response    47.066  
jmsListenerA-10     request             48.289  
jmsListenerA-27     request             54.968  
jmsListenerA-10     response    55.055  
jmsListenerA-27     response    56.150  
jmsListenerA-12     request    
jmsListenerA-12     response    0.000  
jmsListenerB-12     request             56.273  
jmsListenerB-18     request             66.584  
jmsListenerB-18     response    67.584  
jmsListenerB-12     response    68.249  
jmsListenerA-12     request
0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...