Also, I tried to keep the three fields joined as one, but the formatting didn't work out trying to figure out tab characters in headers and such didn't make sense. Since there is a terminating :: delimiter at the end of foo, I think this will still work, but those spaces are something to keep in mind if you have to play with the regex. Miscellaneous notes: Your MessageText field has spaces in the data, while my test data does not. I don't know what the performance implications of a high max match would be. Unfortunately there doesn't seem to be a way to make it unlimited (setting it to 0 didn't work), so you'll have to set it high enough to cover the maximum number of transaction events in your environment. Note the max match parameter must be set to some number greater than 1 to match multiple entries in the field. The rex command splits the foo field back into its components. After the transaction command, foo contains the sequence of all events in the transaction. I used a double colon to join, but it can be any character sequence that doesn't appear in your data. The first eval joins your three target three fields into one field for each event. A transaction type is a configured transaction, saved as a field and used in. *?)::\s" | table service_name, parent_job_id, EventTime, ChildJobId, MessageTextItem end for presentation using the rename command. "::" | transaction service_name, parent_job_id | rex max_match=20 field=foo "^(?. Index=test-tibco parent_job_id=80353 | eval foo=event_time. This is modified from a query I ran on my own test data, so it may need tinkering. I'm also curious if anyone has figured out a low-effort manner to achieve the design described in. Is this possible? If so, how? (I know the data seems junky, but some of these really are 1-millisecond requests of container jobs and whatnot.) Parent_job_id is only for my testing purposes - I'm more concerned about the formatting.ĮDIT for additional info: Essentially, my goal is to have a table within my end table to show the child job' info and bubble up into the parent job. I have a search like this: index=test-tibco parent_job_id=80353 | transaction service_name, parent_job_id, child_job_id | eval event_time=_time | convert ctime(event_time) | transaction service_name, parent_job_id | eval newtime=_time | convert ctime(newtime) | table newtime, service_name, parent_job_id, job_status, event_time, child_job_id, MessageText I'm having difficulty is displaying the child jobs in relation to the parent job that represents the whole execution of the service. I'm working on a TIBCO app to show events for a service run, the job it runs as, and the child jobs running under it. I'm open to different display approaches, so if you disagree with how I want to show this data, please feel free to propose a better design. Alerts should be actionable, otherwise it’s a report or a dashboard.This is really tricky to explain, so please bear with me. If it’s a large data set, it’s potentially a large number of alerts which is not always good. Do you REALLY want to notify on every log off? Are you maybe just looking for users who haven’t logged in for a while? Then remove any active sessions from the computation, then remove those that haven’t been active (time since event) for some period of time.Īnd rule #1 when building alerts, before you build the alert, what are you going to do with it once you get it. This seems to be a tricky use-case on its face, so start by getting “session duration” information from your data. Between splunk docs and stackoverflow you’re looking at Transaction optimization/performance or replace transaction with stats should get you where you want to be. So when you roll it yourself you are going to need to be real familiar with stats and eval functions. And the returned transaction would be a list of these event. Anytime a person reaches a point, an event is logged that he reached that point. And how that person reached point Y, always beginning at X. Transaction simplifies the combining of event data, and tracks number of events and duration. Basically, we need to determine a path from point X to point Y. Basically the rule is, if you think you need a transaction, you don’t.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |