Going with the info you have provided define the transaction first and then do the Rex for the duration and the subtransaction names.
search |
use rex to define a common field, CCID |
transaction CCID |
use rex to define subproccess field names and durations |
use rex to define total process duration |
use rex to define a few other identifying fields
If this an input to splunk, you should already have them broken into separate fields with input.conf so the below solution might not apply exactly.
However. tested out with the sample data you provided...
index=_internal | stats count| eval text="2015-04-22 14:10:02,351 [ACTIVE] PerfLogger [CCID] - Message: subprocess.name.1; Duration: 0 ms;
2015-04-22 14:10:02,351 [ACTIVE] PerfLogger [CCID] - Message: subprocess.name.2; Duration: 5 ms;
2015-04-22 14:10:02,351 [ACTIVE] PerfLogger [CCID] - Message: subprocess.name.3; Duration: 10 ms;
2015-04-22 14:10:02,351 [ACTIVE] PerfLogger [CCID] - Message: subprocess.name.4; Duration: 20204 ms;
2015-04-22 14:10:02,351 [ACTIVE] PerfLogger [CCID] - Message: subprocess.name.5; Duration: 100 ms;
2015-04-22 14:10:02,351 [ACTIVE] PerfLogger [CCID] - Message: subprocess.name.6; Duration: 647 ms;
2015-04-22 14:10:02,351 [ACTIVE] PerfLogger [CCID] - Message: subprocess.name.7; Duration: 899 ms;
2015-04-22 14:10:02,351 [ACTIVE] PerfLogger [CCID] - Message: subprocess.name.8; Duration: 399 ms;
2015-04-22 14:10:02,351 [ACTIVE] PerfLogger [CCID] - Message: subprocess.name.9; Duration: 411 ms;
2015-04-22 14:10:07,590 [ACTIVE] AfNDC [CCID] - Duration: 5239 ms Context: REST;
2015-04-22 14:10:03,351 [ACTIVE] PerfLogger [CCID11] - Message: subprocess.name.1; Duration: 0 ms;
2015-04-22 14:10:03,351 [ACTIVE] PerfLogger [CCID11] - Message: subprocess.name.2; Duration: 6 ms;
2015-04-22 14:10:03,351 [ACTIVE] PerfLogger [CCID11] - Message: subprocess.name.3; Duration: 11 ms;
2015-04-22 14:10:03,351 [ACTIVE] PerfLogger [CCID11] - Message: subprocess.name.4; Duration: 20205 ms;
2015-04-22 14:10:03,351 [ACTIVE] PerfLogger [CCID11] - Message: subprocess.name.5; Duration: 101 ms;
2015-04-22 14:10:03,351 [ACTIVE] PerfLogger [CCID11] - Message: subprocess.name.6; Duration: 647 ms;
2015-04-22 14:10:03,351 [ACTIVE] PerfLogger [CCID11] - Message: subprocess.name.7; Duration: 899 ms;
2015-04-22 14:10:03,351 [ACTIVE] PerfLogger [CCID11] - Message: subprocess.name.8; Duration: 399 ms;
2015-04-22 14:10:03,351 [ACTIVE] PerfLogger [CCID11] - Message: subprocess.name.9; Duration: 411 ms;
2015-04-22 14:10:08,690 [ACTIVE] AfNDC [CCID11] - Duration: 5243 ms Context: REST;
"| makemv text delim=";
" | mvexpand text| rex field=text "^(?<time>\S+\s\S+)" | eval _time = strptime(time, "%Y-%m-%d %H:%M:%S,%3N") | rex field=text ".*\s\[(?<proc>\S+)\]\s\-.*" | transaction proc | rex field=text ".*Message:\s(?<sname>\S+)\;.*" | rex field=text ".*\;\sDuration\:\s(?<sdur>\d+)\s.*" | rex field=text "\]\s\-\sDuration\:\s(?<tdur>\d+)\s.*" | table proc,sname,sdur,duration,tdur
gives me
... View more