topic Re: How to find the duration for order submission to each suborder process. in Splunk Search

How to find the duration for order submission to each suborder process.

ravi08402 — Fri, 02 Aug 2019 23:36:36 GMT

I am working for a product where I will have one order number, it has multiple suborders.
Once each suborder processes, I will get the suborder number and main order number.
I need to find the duration for order submission to each suborder process.

For example:
my order is abc, sub orders i have 1,2,3
my result set should be
order sub order duration
abc 1 10
abc 2 23
abc 3 15

When I use transaction for this search I am getting duration between main order submission to last sub order processed.
How do I get individual duration?

Re: How to find the duration for order submission to each suborder process.

niketn — Sat, 03 Aug 2019 02:53:54 GMT

@ravi08402 please add more details to the events from your sub order that help you identify that Sub Order is being processed and processing has completed. Also is there a state in the main order that identifies it starting and completion?

What is the current transaction command you are using.

Please ensure to mock/anonymize any sensitive information in your data/code before posting on Splunk Answers.

Re: How to find the duration for order submission to each suborder process.

ravi08402 — Mon, 05 Aug 2019 22:21:45 GMT

@niketnilay when i submit order the log looks like below.

2019-08-05 21:27:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550

after request processed, we can see individual sub line (sub order )details as below

2019-08-05 21:27:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=5,Status=Success
2019-08-05 21:29:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=1,Status=Success
2019-08-05 21:27:42,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=2,Status=Success
2019-08-05 21:28:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=3,Status=Success
2019-08-05 21:27:12,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=4,Status=Fail

When i use this query all possible events are forming as one event.
(source="source2" Source=RESPONSE) OR (sourcetype="source1" AuditLog: A=CR) | transaction OrderNumber duration

i need to know time difference between main line to each sub line processing duration.

Re: How to find the duration for order submission to each suborder process.

diogofgm — Mon, 05 Aug 2019 23:50:18 GMT

are the timestamps in your example data correct?
is there a relation between LineSeqNumber and timestamp?
Is it safe to assume the order happens before the sub orders? (its not the case in your example data)

Re: How to find the duration for order submission to each suborder process.

ravi08402 — Mon, 05 Aug 2019 23:58:25 GMT

2019-08-05 21:26:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550

after request processed, we can see individual sub line (sub order )details as below

corrected the timestamp. No there is no relation between time stamp and LineSeqNumber.

Re: How to find the duration for order submission to each suborder process.

diogofgm — Tue, 06 Aug 2019 00:15:25 GMT

Try this:

(sourcetype="source1" AuditLog: A=CR) 
| join OrderNumber [search (source="source2" Source=RESPONSE) | stats min(_time) AS start by OrderNumber]
| eval duration = _time - start

Explanation:
sub search to get the time for each order number and the join the result using the order number in the sub order events making the order time available in every sub order. from there you can just calcule the duration using eval.

Re: How to find the duration for order submission to each suborder process.

ravi08402 — Fri, 09 Aug 2019 21:53:19 GMT

Thanks it worked for me