If you are monitoring your application with Splunk, you can easily create some cool dashboards to see quickly what append. And, in some cases, you want to know how much a treatment took.
To do it, you have to do a transaction following the next model
[search] | transaction [common value between events] startswith="[key=value of a parameter of the first event]" endswith="[key=value of a parameter of the second event]"
Example
With this example, we want to check the duration between the log L1 and the log L4. And our common value is the id of the transaction.
So our search will look like :
[search] | transaction transactionId startswith="step=P1" endswith="step=P4"
Following the same process, you can check the duration between P1 and P3, P2 and P3 ...
Result
The result of this request will contain the two logs and a new field: duration.
Knowing that, you can :
- display the value with the others
- do some stats with
...| stats max(duration)
...| stats min(duration)
...| stats avg(duration)
- display it in a table
...| table duration
- use this request in a dashboard
- ...
I hope it will help you!
Top comments (0)