https://community.splunk.com/t5/Getting-Data-In/Find-the-Difference-between-Timestamps/m-p/171980#M34673 <P>In Splunk I'm tracking web service calls which have a request/response pairs. So for example we have a Get Delivery Schedule web service which has a SOAP request and response. We have a unique identifier (GUID) tied to the request response pairs which match each other. I want to find the time from when the request was made to the time there was a response. So I was thinking of making a new field which would take the difference between the response timestamp and the request time stamp and applying it to the request event. So then I could search for all the requests by using the GUID and have that response time tied to each request. I then wanted to grab all the response times and export it to Excel so I can do an analysis. </P> <P>Any idea how I could do this? </P> Fri, 02 Jan 2015 15:31:00 GMT skoelpin 2015-01-02T15:31:00Z https://community.splunk.com/t5/Getting-Data-In/Find-the-Difference-between-Timestamps/m-p/171980#M34673 <P>In Splunk I'm tracking web service calls which have a request/response pairs. So for example we have a Get Delivery Schedule web service which has a SOAP request and response. We have a unique identifier (GUID) tied to the request response pairs which match each other. I want to find the time from when the request was made to the time there was a response. So I was thinking of making a new field which would take the difference between the response timestamp and the request time stamp and applying it to the request event. So then I could search for all the requests by using the GUID and have that response time tied to each request. I then wanted to grab all the response times and export it to Excel so I can do an analysis. </P> <P>Any idea how I could do this? </P> Fri, 02 Jan 2015 15:31:00 GMT https://community.splunk.com/t5/Getting-Data-In/Find-the-Difference-between-Timestamps/m-p/171980#M34673 skoelpin 2015-01-02T15:31:00Z https://community.splunk.com/t5/Getting-Data-In/Find-the-Difference-between-Timestamps/m-p/171981#M34674 <P>Have a look at the <EM>transaction</EM> command. If your search returns requests and responses with an identifier, all you usually need to do is add something like "| transaction GUIDFIELDNAME"</P> <P>Depending on things such as maximum expected request time and if request and response events have identifiers you could make it more reliable by using additional options like <EM>maxspan, startswith,</EM> and <EM>endswith</EM>.</P> <P>This command will add some fields to your results, one of which is duration in seconds, and this sounds like what you are after.</P> <P>See: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/transaction">http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/transaction</A></P> Fri, 02 Jan 2015 18:47:21 GMT https://community.splunk.com/t5/Getting-Data-In/Find-the-Difference-between-Timestamps/m-p/171981#M34674 chanfoli 2015-01-02T18:47:21Z