| rename COMMENT as "If more records are possi ble than start and end, only let the start and end through. | eval duration=if(isnull(tranEndTime),null(),duration) I just started using splunk, and as i see ill need these keyword: transaction, field extract (, and. Max(_time) as nowtime, max(tranEndTime) as tranEndTime, range(_time) as duration by URI Calculate response time from starttime and endtime. | stats min(_time) as starttime, max(tranStartTime) as tranStartTime, | rename COMMENT as "Group the records, clean up duration if the transaction has not completed." | rex "TranasactionStartTime=(?+) TransactionEndTime=(?*)( |NA)" | rename COMMENT as "Extract the times from the record" If you want to alert that the job has completed, you need to key on the event where _time = TransactionEndTime. If you want to alert that the job has started, you need to key on the job where _time = TranasactionStartTime. (Note the extra a in Tran a saction in the events.) The eval durationd1-d2 subtracts the two to get your duration, then the last statement just reformats the duration to be something other than seconds. All the records have TranasactionStartTime set to the same time. SPLUNK-TRACE-DateandTime - 12:30:10.908 ThreadID=2084 ThreadIDHex=00000 ThreadName= Node=MBR8:8448 meta-transid=INTERNAL_f63e8-184e-49b-96d-8bbff0e5 ConsumerSenderID=NA URI=/member* TranasactionStartTime= 12:30:10.908 TransactionEndTime=NA TransactionStatus= Method=GET StatusCode= Backend=GetMber, -Įasy enough. SPLUNK-TRACE-DateandTime - 16:27:18.570 ThreadID=200 ThreadIDHex=00000 ThreadName= Node=MBR2:8448 meta-transid=INTERNAL_4f2d8b-11-48-8d-8e1776 ConsumerSenderID=NA URI=/member* TranasactionStartTime= 16:27:15.645 TransactionEndTime= 16:27:18.570 TransactionStatus=SUCCESS Method=GET StatusCode=200 Backend= ErrorMsg= JDBCInvocation= JDBCWaitTime= CacheContentFlag=UNKNOWN CaptureLocation=Response Index=test_prod URI=/member*| eval StartTime=strftime(_time,"%Y/%m/%d %H:%M:%S")| head 1 | append | transaction URI When i use this query i have start time and stop time
0 Comments
Leave a Reply. |