Splunk - Merging Associated Events

Question

I have a script which sends individual events into Splunk, each event is essentially a report on a HTTP Request, either GET or POST. The event contains a number of fields but two key ones are StepName and Timing:

1. StepName will be a title for the HTTPRequest etc. PostLogin
2. Timing will be a int value of the milliseconds taken by HttpRequest

I'm writing a report which shows the average time taken for each step over last 15 minutes. However, from an end users point of view, some steps are part of one process e.g.

1. Step1 - GetLoginPage
2. Step2 - PostLoginPage
3. Step3 - ProcessUserDetails
4. Step4 - GetHomePage

In this case Step2 and Step3 would be one process for an end user, therefore I'd like to be able to report on these as if they were one step so the following:

---

GetLoginPage 50
PostLoginPage 100
ProcessUserDetails 250
GetHomePage 80

---

would become

---

GetLoginPage 50
PostLoginPage 350
GetHomePage 80

---

I can use a replace on the StepName so I have

---

GetLoginPage 50
PostLoginPage 100
PostLoginPage 250
GetHomePage 80

---

How can I then merge these results so it summates the two PostLoginPage steps and then gives me an average over the time period for the three individual steps?

Note each step has a field called TransactionGUID which associates a group of steps for the same execution.

Answer 1

If you post your question over at http://splunk-base.splunk.com/answers/ , you'll have access to a greater audience of Splunk expertise , and I will attempt to answer your question there.