topic Re: Response Time Calculation between 2 different events in Splunk Search

Response Time Calculation between 2 different events

hemendralodhi — Tue, 29 Sep 2020 15:17:15 GMT

Hello,

I am trying to find response time between events in different sourcetype but not able to figure out how to find time difference. For some it is coming correctly but for some value is coming negative , look like end time value is not coming correctly. Below is the search I am using. I need to find value based on common conversation ID and find avg by action. I tried with transaction but with conversation id is not having same value for all the events and transaction is not working.

index=A sourcetype="A_log4j" "Input Validation Passed" | rex "CONV_ID\s:\s(?.+)" | stats values(_time) as start by conversation_id | appendcols [search index=A sourcetype="B_log4j" "Outbound payload received" | rex "convId:\s(?[^/,]+)" | rex "action:\s(?[^/,]+)" | stats values(_time) as end by conversation_id,action] | eval diff=tonumber(start-end)| table conversation_id start action end diff.

For some : getting wrong value for subsearch and hence diff time is coming incorrectly. Please advise how I can find response time in this scenario.

Thanks much!!

Re: Response Time Calculation between 2 different events

hemendralodhi — Tue, 08 Aug 2017 11:47:05 GMT

Also in both the source time format is different for first search it is like this : 06-Aug-2017 17:00:31,381, for subsearch data it is 2017-08-06 17:00:31

Re: Response Time Calculation between 2 different events

cmerriman — Tue, 08 Aug 2017 11:48:41 GMT

instead of values(_time) try earliest or min in both the base search and the subsearch.

Re: Response Time Calculation between 2 different events

hemendralodhi — Tue, 08 Aug 2017 13:10:15 GMT

still getting the same results.

Re: Response Time Calculation between 2 different events

cmerriman — Tue, 08 Aug 2017 13:30:55 GMT

when you run the subsearch on its own, are you getting the correct time? grab one conversation_id and action that looked wrong and check the events and then add the stats command. does that match the indexed _time?

Re: Response Time Calculation between 2 different events

woodcock — Tue, 08 Aug 2017 14:27:22 GMT

If you need | stats abs(max(_time) - min(_time)) then just use | stats range(_time).

Re: Response Time Calculation between 2 different events

vkari — Mon, 28 Jan 2019 04:41:17 GMT

index=myindex1
eventName=5000 --->have b(starting time and ending time ) and reference id
eventName=5001 --->have (starting time and ending time ) and reference id

here my condition if both event names - reference id are same then,
event 5000 stating time and event 5001 ending time and total duration of time and average time I need to show in dashboards
can you please provide query