topic Re: calculate time difference between starting and completing a task in Getting Data In

calculate time difference between starting and completing a task

atreece — Mon, 28 Sep 2020 10:14:18 GMT

I have a database that stores a separate event every time someone starts or stops a task. This should be a simple task, but I cant seem to figure out how to go about the calculation. There are three things I need to account for: accepting the task, abandoning the task, and completing the task. I only want to calculate the time it takes between each user's accepting a task and completing it. If they abandoned it, then I don't want splunk to calculate the time

This is working off of timestamps and the fields user_name and action

action=0 for accepting

action=1 for completing

action=2 for abandoning

Any suggestions as to how I would go about this calculation?

EDIT: My supervisors loved it, but now they want me to cut out times when the users are not logged in. I asked around, and got a nice addition to the logs: total_login_time, which, as it's so simply named, is a simple record, in milliseconds, of how long the users have been logged in to the site. Can I still use transaction? Or do I need to change it entirely?

Re: calculate time difference between starting and completing a task

tgow — Tue, 20 Dec 2011 14:38:57 GMT

I would recommend that you take a look at the "transaction" command. It has a built in field called "duration". Here is an example of how to use it.

source="your data" | transaction action beginswith="0" endswith="2"

You might need to experiment with the maxspan and maxpause as well.

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/4.2.5/SearchReference/Transaction

Re: calculate time difference between starting and completing a task

Ayn — Tue, 20 Dec 2011 14:56:16 GMT

+1 on using transaction, but using action as the correlating field won't work as it is changing within the session. user_name seems more appropriate. Also perhaps specify the conditions a bit more so that it's the actual action field that is checked for the values 0 and 2:

... | transaction user_name startswith=eval(action=0) endswith=eval(action=2)

Re: calculate time difference between starting and completing a task

tgow — Tue, 20 Dec 2011 15:15:09 GMT

Great Stuff Ayn. Thanks. Give the points to Ayn!

Re: calculate time difference between starting and completing a task

atreece — Tue, 20 Dec 2011 15:37:47 GMT

That's giving me some very nice results!
Thank you!

Re: calculate time difference between starting and completing a task

atreece — Mon, 28 Sep 2020 10:14:20 GMT

Yes, I did have to change it around a bit. The resulting search string looks a bit like this:

and it's giving me fairly nice results.

on an unrelated note, I love your picture. That game was really fun.

Re: calculate time difference between starting and completing a task

Splunkster45 — Mon, 13 Oct 2014 16:28:42 GMT

This is exactly what I was looking for!