Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transaction duration in Splunk

saradachelluboy
Explorer
‎07-11-2016 04:33 PM

Hi All,

Transaction duration based on thread name. I wrote the below search:

index="p" sourcetype="x" | transaction host startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"

It is picking up the duration from jmsListenerA-10 request and jmsListenerA-11 response which is not valid. Could some one pls help?

This is multi threaded and data is not sequential, only identification is thread name i.e. jmsListenerA-10. once the response ends the thread will be reused again.

Log Data:

INFO  | 2016-07-12 02:05:03,556 | jmsListenerA-10 | au.com.xxx.LoggingMessageConverter | request: <?xml version="1.0" encoding="UTF-8"?><urn:CorrelationId>11111</urn:CorrelationId>
INFO  | 2016-07-12 02:05:03,589 | jmsListenerA-10 | au.com.xxx.PGService | Number of transaction builder errors: 0
INFO  | 2016-07-12 02:05:03,757 | jmsListenerA-10 | au.com.xxx.PGService | This Transaction is of type: 
INFO  | 2016-07-12 02:05:04,297 | jmsListenerA-11| au.com.xxx.LoggingMessageConverter | response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns11:CorrelationId>22222</ns11:CorrelationId>
INFO  | 2016-07-12 02:05:03,820 | jmsListenerA-10 | au.com.xxx.ProviderResponseJpa | Executing findProviderResponse 
INFO  | 2016-07-12 02:05:03,919 | jmsListenerA-10 | au.com.xxx.creditcard.provider.webpay.WebpayApiProviderImpl | request:  Transaction Bundle
INFO  | 2016-07-12 02:05:04,199 | jmsListenerA-10 | au.com.xxx.creditcard.provider.webpay.WebpayApiProviderImpl | response:  Transaction Bundle
INFO  | 2016-07-12 02:05:04,216 | jmsListenerA-10 | au.com.xxx.ProviderResponseJpa | Executing findProviderResponse 
INFO  | 2016-07-12 02:05:04,297 | jmsListenerA-10 | au.com.xxx.LoggingMessageConverter | response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns11:CorrelationId>11111</ns11:CorrelationId>
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎07-11-2016 04:49 PM

It seems that you need to extract the values of jmsListenerA-NN into a field such as jmsListener.

Your command can then be - 

index="p" sourcetype="x" | transaction jmsListener startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎07-11-2016 04:49 PM

It seems that you need to extract the values of jmsListenerA-NN into a field such as jmsListener.

Your command can then be - 

index="p" sourcetype="x" | transaction jmsListener startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"
0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-11-2016 11:12 PM 
index="p" sourcetype=x  | rex "(?<thread>jmsListener\w-\d+)"  | transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"  | table thread duration

Working fine mixed sundareshr regular expression with transaction works perfect

Thanks to both

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-12-2016 03:45 AM

Beautiful thing!!!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-11-2016 04:46 PM

Transaction is not the best command for this. Try this approach instead

index="p" sourcetype="x" | rex "(?<thread>jmsListener-\d+)"  | rex "(?<direction>request|response)" | reverse | streamstats count as txn by host thread direction | streamstats current=f range(_time) as duration by txn | table host thread direction duration
0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-11-2016 10:14 PM

Hi Sundar,

I tried to execute the above it is trying to fetch data but I am unable to understand the duration logic

Is this in mill sec? The response can't be 0.0. I want request followed by response
I felt it pick anything with request and response. Please check jmsListenerA-10

thread                       direction         duration
jmsListenerA-7      response    
jmsListenerB-16     request             0.000  
jmsListenerB-16     response    1.280  
jmsListenerA-12     request     2.802  
jmsListenerA-12     response    3.521  
jmsListenerB-7      request             4.361  
jmsListenerB-7      response    4.795  
jmsListenerB-27     request             5.579  
jmsListenerB-27     response    47.066  
jmsListenerA-10     request             48.289  
jmsListenerA-27     request             54.968  
jmsListenerA-10     response    55.055  
jmsListenerA-27     response    56.150  
jmsListenerA-12     request    
jmsListenerA-12     response    0.000  
jmsListenerB-12     request             56.273  
jmsListenerB-18     request             66.584  
jmsListenerB-18     response    67.584  
jmsListenerB-12     response    68.249  
jmsListenerA-12     request
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...