topic Re: transaction duration between subevents in Splunk Search

transaction duration between subevents

aaronkorn — Mon, 28 Sep 2020 14:42:17 GMT

Is it possible to calculate all the duration between subevents in a transaction? For example..

Here's the search:

index=citrix source="C:\Temp\tslogon_log.txt" | transaction UserName host startswith="STARTED" endswith="FINISH"

...and output

We would like to calculate the time difference between all steps in the transaction. So between Started and Step1_Complete, then Step1_Complete and Step2_Complete etc.. which all those differences should add to the 2.39 seconds Splunk calculated for the overall transaction. Any ideas?

Thanks!

Re: transaction duration between subevents

kristian_kolb — Tue, 03 Sep 2013 17:09:36 GMT

Hmm, you cant use _time after the transaction, so you must make an eval before the transaction, in order to preserve the timestamp for each subevent in a multivalued field.

...| eval sub_time = _time |

Re: transaction duration between subevents

lguinn2 — Thu, 05 Sep 2013 00:10:10 GMT

I am not sure that you need the transaction command. The following

index=citrix source="C:\Temp\tslogon_log.txt"
| sort  UserName host _time
| delta _time as StepTime p=1
| eval Step=case(searchmatch("STARTED"),null(),
            searchmatch("Step1_Complete"),1
            searchmatch("Step2_Complete"),2
            searchmatch("Step3_Complete"),3
            searchmatch("Step4_Complete"),4
            searchmatch("FINISH"),5
            1=1,null())

will create two new fields StepTime and Step, which can be used in a variety of ways

| stats avg(StepTime) as AverageStepTime by Step

| stats avg(StepTime) as StepTime by User Host Step

This solution requires that every "transaction" must have all of the components. It is okay if a transaction is in progress, as it will only calculate the completed steps. However, if the START is not logged or a step is not logged, then it may not work properly.