Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transaction duration in Splunk

saradachelluboy
Explorer
‎07-11-2016 04:33 PM

Hi All,

Transaction duration based on thread name. I wrote the below search:

index="p" sourcetype="x" | transaction host startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"

It is picking up the duration from jmsListenerA-10 request and jmsListenerA-11 response which is not valid. Could some one pls help?

This is multi threaded and data is not sequential, only identification is thread name i.e. jmsListenerA-10. once the response ends the thread will be reused again.

Log Data:

INFO  | 2016-07-12 02:05:03,556 | jmsListenerA-10 | au.com.xxx.LoggingMessageConverter | request: <?xml version="1.0" encoding="UTF-8"?><urn:CorrelationId>11111</urn:CorrelationId>
INFO  | 2016-07-12 02:05:03,589 | jmsListenerA-10 | au.com.xxx.PGService | Number of transaction builder errors: 0
INFO  | 2016-07-12 02:05:03,757 | jmsListenerA-10 | au.com.xxx.PGService | This Transaction is of type: 
INFO  | 2016-07-12 02:05:04,297 | jmsListenerA-11| au.com.xxx.LoggingMessageConverter | response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns11:CorrelationId>22222</ns11:CorrelationId>
INFO  | 2016-07-12 02:05:03,820 | jmsListenerA-10 | au.com.xxx.ProviderResponseJpa | Executing findProviderResponse 
INFO  | 2016-07-12 02:05:03,919 | jmsListenerA-10 | au.com.xxx.creditcard.provider.webpay.WebpayApiProviderImpl | request:  Transaction Bundle
INFO  | 2016-07-12 02:05:04,199 | jmsListenerA-10 | au.com.xxx.creditcard.provider.webpay.WebpayApiProviderImpl | response:  Transaction Bundle
INFO  | 2016-07-12 02:05:04,216 | jmsListenerA-10 | au.com.xxx.ProviderResponseJpa | Executing findProviderResponse 
INFO  | 2016-07-12 02:05:04,297 | jmsListenerA-10 | au.com.xxx.LoggingMessageConverter | response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns11:CorrelationId>11111</ns11:CorrelationId>
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎07-11-2016 04:49 PM

It seems that you need to extract the values of jmsListenerA-NN into a field such as jmsListener.

Your command can then be - 

index="p" sourcetype="x" | transaction jmsListener startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎07-11-2016 04:49 PM

It seems that you need to extract the values of jmsListenerA-NN into a field such as jmsListener.

Your command can then be - 

index="p" sourcetype="x" | transaction jmsListener startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"
0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-11-2016 11:12 PM 
index="p" sourcetype=x  | rex "(?<thread>jmsListener\w-\d+)"  | transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"  | table thread duration

Working fine mixed sundareshr regular expression with transaction works perfect

Thanks to both

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-12-2016 03:45 AM

Beautiful thing!!!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-11-2016 04:46 PM

Transaction is not the best command for this. Try this approach instead

index="p" sourcetype="x" | rex "(?<thread>jmsListener-\d+)"  | rex "(?<direction>request|response)" | reverse | streamstats count as txn by host thread direction | streamstats current=f range(_time) as duration by txn | table host thread direction duration
0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-11-2016 10:14 PM

Hi Sundar,

I tried to execute the above it is trying to fetch data but I am unable to understand the duration logic

Is this in mill sec? The response can't be 0.0. I want request followed by response
I felt it pick anything with request and response. Please check jmsListenerA-10

thread                       direction         duration
jmsListenerA-7      response    
jmsListenerB-16     request             0.000  
jmsListenerB-16     response    1.280  
jmsListenerA-12     request     2.802  
jmsListenerA-12     response    3.521  
jmsListenerB-7      request             4.361  
jmsListenerB-7      response    4.795  
jmsListenerB-27     request             5.579  
jmsListenerB-27     response    47.066  
jmsListenerA-10     request             48.289  
jmsListenerA-27     request             54.968  
jmsListenerA-10     response    55.055  
jmsListenerA-27     response    56.150  
jmsListenerA-12     request    
jmsListenerA-12     response    0.000  
jmsListenerB-12     request             56.273  
jmsListenerB-18     request             66.584  
jmsListenerB-18     response    67.584  
jmsListenerB-12     response    68.249  
jmsListenerA-12     request
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...