Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transactions - grouping actions and matching on multiple fields

thesteve
Path Finder
‎04-27-2014 07:26 AM

I have a logfile which contains a set of performance related transactional data. I'm having trouble wrapping my brain around a proper search that will allow me to easily see transactions that are abnormally long.

Transactions are grouped together by name, thread id, and client-thread id (with a + or - indicating the start or end of the transaction)

Here's an example of what I'm looking at:

timestamp thread:123 client-thread:128 +login fred
timestamp thread:124 client-thread:132 +login lisa-hannigan
timestamp thread:123 client-thread:128 -login fred
timestamp thread:123 client-thread:127 +search fred searchstring
timestamp thread:145 client-thread: +flushcache flush system cache
timestamp thread:124 client-thread:132 +search lisa-hannigan searchstring
timestamp thread:126 client-thread:139 +search lisa-hannigan searchstring
timestamp thread:145 client-thread: -flushcache 
timestamp thread:123 client-thread:127 +search fred searchstring
timestamp thread:145 client-thread: +buildcache build system cache
timestamp thread:124 client-thread:132 -search lisa-hannigan searchstring
timestamp thread:126 client-thread:139 -search lisa-hannigan searchstring
timestamp thread:145 client-thread: -buildcache build system cache

I've built a regex that extracts the field data I need, but I'm having trouble wrapping my brain around a search string that will wrap the transactions appropriately. My "action" field contains +login/-login, +search/-search, etc.

I need to group these together: somehow pair up the +action and the -action, and I also need to match on both thread id and client thread id (which may be null).

My field data looks like:

threadid=123
clientthread=128
action=+login

for the first line. I can adjust this if necessary. I'm wondering if this might be easier if I separate that out into action=login and actionstartend=+. I only show 4 action types here, but there are about 130 different actions, so I'd rather not have to do a search per action (i.e. login, search, flushcache, buildcache)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-27-2014 09:21 AM

I think it'll be easier with the separated plus/minus, then you can do this:

... | transaction threadid clientthread action startswith="actionstartend=+" endswith="actionstartend=-"

If you can modify your log files I strongly recommend adding a unique transaction ID. Then you can simplify things and often also gain performance like this:

... | stats range(_time) as duration first(action) as action by transactionID

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-27-2014 09:21 AM

I think it'll be easier with the separated plus/minus, then you can do this:

... | transaction threadid clientthread action startswith="actionstartend=+" endswith="actionstartend=-"

If you can modify your log files I strongly recommend adding a unique transaction ID. Then you can simplify things and often also gain performance like this:

... | stats range(_time) as duration first(action) as action by transactionID
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...