Documentation > Splunk > Application Management > Use a transaction across tiers

Application Management

 


Application Management with Splunk
Index Data
Application Management Use Cases
Walkthrough: Index Data
Walkthrough: Troubleshoot using ID and Time
Walkthrough: Group Events into Transactions
Walkthrough: Monitor Transaction Performance
Walkthrough: Create a Business Dashboard

Use a transaction across tiers

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Use a transaction across tiers

You can use transactions to tie data together across tiers. This allows you to really trace a transaction throughout your application, including calls external to the application servers such as database operations. Complex transactions can be used to trace a problem from where it's noticed (for example, a web server) to the root cause even if that root cause is several hops away; they can also be used to investigate and monitor application performance.

If you don't have a single field or value that appears across all your logs, sometimes you can tie your transaction together by mapping dissimilar elements of different logs to each other. You create this mapping simply based on commonalities that already exist between the files, even if there is no formal relationship between the different log files. This is different from a database or any tool that uses a schema. Such tools require a foreign key to create a referential constraint between the files -- a requirement is baked in from the beginning and can not be changed easily. In contrast, Splunk lets you choose your common fields based on your existing data and your needs. Splunk's transaction tracing is also far more comprehensive than bytecode transactions, which cannot see beyond the boundaries of the actual application code.

In the example, another data source, the J2EE logs from the middle tier (sourcetype=j2eelog) contains the same accountNumber field. Then the same transaction ties together events across multiple tiers.

To extend your transaction:

1. If you are in Event Table View, switch back to Event View by clicking the Event View icon:

AppManageEventViewButton.png

2. Run your search. Make sure to include both types of logs in the input.

index=test sourcetype=weblog OR sourcetype=j2eelog | transaction accountNumber maxspan=1m maxpause=30

Here's a sample transaction generated by this search: 

3/24/10 11:28:54.301 AM

2010-03-24 11:28:54,301 [WEB] INFO messageType = POST, messageStatus = INIT, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Begin posting message to content store
2010-03-24 11:28:54,322 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Opening connection to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,397 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Connection established to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,474 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Writing message to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,581 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Finished writing message to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,654 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Closing connection to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,676 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Connection closed to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,760 [WEB] INFO messageType = POST, messageStatus = COMP, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Finished posting message to content store
<TRANSACTION date="2010-03-24 11:28:54,797" activityCode="1010" sequenceNumber="100198887" accountNumber="COT6037774908" subscriberID="6037774908" callerID="MAR10209LA" transactionStatus="COMPLETE" result="SUCCESS" host="10.34.51.91" comment="Invocation of Content API for sequenceNumber 100198887 Successful" />

    * host=j2eeserver15 
    * host=webserver23 
    * sourcetype=j2eelog 
    * sourcetype=weblog 
    * source=/var/log/j2eelog/j2eeserver15/J2EE.log 
    * source=/var/log/weblog/webserver23/WEB.log 
    * duration=0.496

This output is very similar to the previous example, but it now includes an additional related event from the J2EE logs. The duration is slightly longer because the J2EE event is included in the calculation.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.4/AppManagement/Useatransactionacrosstiers"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!