Charting the application's functional performance

Another of the data samples we loaded in Chapter 1, Play Time – Getting Data In, contained application logs from our application server. These have a Splunk sourcetype of log4j and detail the various calls that our application makes to the backend database in response to user web requests, in addition to providing insight into memory utilization and other health-related information. We are particularly interested in tracking how our application is performing in relation to the time taken to process user-driven requests for information.

In this recipe, we will write a Splunk search to find out how our application is performing. To do this, we will analyze database call transactions and chart the maximum, mean, and minimum transaction durations over the past week.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker.

How to do it…

Follow the given steps to chart the application's functional performance over the past week:

  1. Log in to your Splunk server.
  2. Select the Search & Reporting application.
  3. Ensure that the time range picker is set to Last 24 hours and type the following search into the Splunk search bar. Then, click on Search or hit Enter.
    index=main sourcetype=log4j | transaction maxspan=4h threadId | timechart span=6h max(duration) AS max, mean(duration) AS mean, min(duration) AS min
  4. Splunk will return a tabulated list, detailing the maximum, mean, and minimum database transaction durations for every 6-hour period, going back the last 24 hours.
    How to do it…
  5. This is great, but hard to visualize in a tabular form. Click on the Visualization tab and you will see this data represented as a chart.
  6. Click on the chart type link in the upper-left of the chart (next to the Format link) and select Line if not already selected. Splunk now presents this data in a nice line chart, and we can now see the maximum, mean, and minimum levels much more clearly.
    How to do it…
  7. Save this search by clicking on Save As and then on Report. Give the report the name cp02_application_performance and click on Save. On the next screen, click on Continue Editing to return to the search.

How it works…

Let's break down the search piece by piece:

Search fragment

Description

index=main sourcetype=log4j

In this example, we search for our application logs which have the log4j sourcetype.

| transaction maxspan=4h threadId

Using the transaction command, we essentially consolidate multiple events with a common threadId into single event, multiline transactions. The maxspan function tells Splunk to only look at events with the same threadId that are within 4 hours of each other. The transaction command also calculates a new field called duration. This is the duration in seconds from the first event in the transaction to the last event in the transaction.

| timechart span=6h max(duration) AS max, mean(duration) AS mean, min(duration) AS min

Using the timechart command, we specify a span of 6 hours. We then use the max, mean, and min functions on the duration field. Splunk analyzes the durations in the 6-hour period and then calculates the max, mean, and min durations during this period.

Tip

The transaction command is an extremely resource intensive (CPU/memory) search command. When using this command, be sure to use the maxspan function where possible, as this helps focus on transactions grouped only within the specified maxspan timeframe.

There's more…

In this recipe, we leveraged the transaction command. This is a very useful and powerful function, and we will revisit it in more depth and complexity later in the book.

See also

Also refer to the following recipes for more information:

  • The Charting the application's memory usage recipe
  • The Counting the total number of database connections recipe
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.96.159