How to get the time duration between two scenarios?

joshimeister — Tue, 29 Sep 2020 21:14:01 GMT

Hey all,

I wanted to see if someone can help me out with this. Basically im trying to get a duration for the time in between 2 scenarios. Im trying to get how long it takes for each user to get from scenario_1 to scenario_2 by service. This is what I have so far and it seems to work when I do by individual service:

index=index_name (scenariotype="scenario_1" OR scenariotype="scenario_2") user_ID="*" service_name="*service_1*"
| transaction user_ID
| stats mean(duration) AS "Mean Duration(In Seconds)" by service_name

Stats table shows:

service_name         |       Mean Duration(In Seconds)
service_1                                   7.25

It returns a low number and when I manually checked the mean time by user_ID, it is correct.
However, when I want to get the mean duration for all services, I get a much higher number, especially for service_1 above. Keep in mind, I have 9 services Im trying to get numbers from. So basically when I run the following and dont specify a service_name or I include more than service name, i get much higher numbers for (exactly the same period of time) as the mean duration for each service(note service_1 is the same service as the above result but returning much higher number):

index=index_name (scenariotype="scenario_1" OR scenariotype="scenario_2") user_ID="*"
| transaction user_ID
| stats mean(duration) AS "Mean Duration(In Seconds)" by service_name

Stats table shows:

service_name         |       Mean Duration(In Seconds)
service_1                                        189.57
service_2                                         5.75
service_3                                         5.75
service_4                                         1.35
service_5                                         6.25
service_6                                         10.40
service_7                                         4.53
service_8                                         8.78
service_9                                         6.72

Ive also experimented with looking further back in the time and the mean duration goes up as I go further back in time if i dont specify 1 service or include more than 1 service or include all services.

Hopefully I made sense and someone can help me with what am I doing wrong.

thx!!

Re: How to get the time duration between two scenarios?

_gkollias — Wed, 12 Sep 2018 21:05:50 GMT

Does something like this help for starters? Since you're always looking for UserID, I included it in the initial stats. Ultimately, my logic is trying to transform like-events to a singular view by using stats and grouping by some unique identifier. By using earliest and latest functions, we can calculate duration before calculating average. Stats is also less taxing if you're able to fit it in:

index=index_name (scenariotype="scenario_1" OR scenariotype="scenario_2") 
| stats earliest(_time) as start_time, 
latest(_time) as end_time, 
latest(userID) as userID 
by service_name, scenario_type
| eval duration = end_time-start_time

From there you can roll this up to more of a summary view with avg durations, etc.:

| stats avg(duration) as avg_duration count(userID) as user_id by service_name

You might need to play around with the second stats depending on how your data looks, but try this out for now and let me know how it looks.

topic Re: How to get the time duration between two scenarios? in Splunk Search

How to get the time duration between two scenarios?

Re: How to get the time duration between two scenarios?