The search is longer now, but you can figure all kinds of inter-transaction timing with this kind of search. | stats avg(Step_1_Completion) as Step_1_Completion_Average, avg(Step_2_Completion) as Step_2_Completion_Average, avg(Step_3_Completion) as Step_3_Completion_Average, avg(Step_4_Completion) as Step_4_Completion_Average | eval Step_4_Completion=Step_4_Time-Start_Time | eval Step_3_Completion=Step_3_Time-Start_Time | eval Step_2_Completion=Step_2_Time-Start_Time | eval Step_1_Completion=Step_1_Time-Start_Time Correlating Events 15 Identify transactions Group events using fields Group events. | transaction UserName host startswith="STARTED" endswith="FINISHED" You transform the events using the Splunk Search Process Language. 3 weeks ago You can convert the values to time integer values with eval t1strptime (time1, 'H:M:S.Q') but that will then give t1 as a representation of 'today' and that time including any time zone relevance, so if you have two times where time123:59:59 time200:00:02 then that falls down. Splunk will automatically timestamp events that dont include them using a. | eval Finish_Time=if(Status="FINISH",_time,null()) Timestamps are critical for debugging, analytics, and deriving transactions. | eval Step_4_Time=if(Status="Step4_Complete",_time,null()) ![]() | eval Step_3_Time=if(Status="Step3_Complete",_time,null()) | eval Step_2_Time=if(Status="Step2_Complete",_time,null()) | eval Step_1_Time=if(Status="Step1_Complete",_time,null()) ![]() For example: index=citrix sourcetype="wts_log" | eval Start_Time=if(Status="STARTED",_time,null()) ![]() To calculate times within a transaction, you should eval the times before initiating the transaction, eval your time differences within each transaction, then use stats to find the time differences average or whatever you need. I'm posting a new answer because I can't comment from my workplace for some reason.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |