https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403024#M169367 <P>There were spaces around the RequestID, I used the trim command to remove the spaces and it worked perfectly. Thanks a lot for your help!</P> <P>One last thing is there an easy way to group the duration in a bar chart? <BR /> For example I will like to group the requests by 5min spans i.e show the total number of requests that take 0-5 mins, 5-10 mins 10-15 mins etc. </P> Fri, 18 May 2018 18:35:53 GMT kaphie2002 2018-05-18T18:35:53Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403018#M169361 <P>Hello,</P> <PRE><CODE> I am trying to calculate the total time it takes for a request to be processed. I have two searches, the first search display the start time and the second search displays the end time. Now I need to create a table or chart that shows the duration for each request. </CODE></PRE> <P>Start time search - host=<EM>request</EM> c.m.p.t.ThumbnailProcessor | rex field=_raw ".<EM>jpg.(?.</EM>).<EM>\"code</EM>" | table RequestID _time</P> <P>End time search - host=<EM>images</EM> Successfully rendered | rex field=_raw ".<EM>images//(?.</EM>).jpg" | table RequestID _time</P> <P>How do I combine these two searches? </P> <P>I tried using append to combine both search results but I was only able to get the results i.e time and request ID from one search and not both. </P> <P>Thanks,<BR /> Kafayat</P> Thu, 17 May 2018 16:55:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403018#M169361 kaphie2002 2018-05-17T16:55:52Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403019#M169362 <P>I believe there are other, less expensive, ways to do this but I do it using transaction.</P> <P>You can do something like this:</P> <PRE><CODE>(host=request OR host=images) ("c.m.p.t.ThumbnailProcessor" OR "Successfully rendered") &lt;- or however to combine your data | eval Start_Time = case(host="request",_time) | eval End_time = case(host="images",_time) | transaction RequestID (fill in maxspan, etc that fits your query) | eval Elapsed_Time = (End_time - Start_Time) </CODE></PRE> Thu, 17 May 2018 17:25:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403019#M169362 kmaron 2018-05-17T17:25:37Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403020#M169363 <P>Give this a try</P> <PRE><CODE>(host=*request* c.m.p.t.ThumbnailProcessor) OR ( host=*images* Successfully rendered) | rex field=_raw ".*jpg.(?&lt;RequestID1&gt;.*).*\"code*" | rex field=_raw ".*images//(?&lt;RequestID2&gt;.*).jpg" | eval RequestID=coalesce(RequestID1,RequestID2) | eval host=if(match(host,"request"),"Start","End") | chart values(_time) over RequestID by host | eval Duration=End-Start </CODE></PRE> Thu, 17 May 2018 18:11:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403020#M169363 somesoni2 2018-05-17T18:11:48Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403021#M169364 <P>Hello Somesoni2,</P> <PRE><CODE> Thanks for your response, I think I'm pretty close. I used the query above but I am not getting the Duration in the output. The table shows 2 entries for each requestID one for Start and another for End but I can't compute the difference. I tried using the table command to show to values for Duration but it was blank. I am quite new to splunk so I don't know where to go from here. Thanks </CODE></PRE> <P>RequestID Start End <BR /> 123456 1526654924<BR /><BR /> 123456 1526654930<BR /> 78965 1526654945<BR /><BR /> 78965 1526654970<BR /> 654321 1526654985<BR /><BR /> 654321 152665500</P> <P>Thanks again!</P> Fri, 18 May 2018 15:07:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403021#M169364 kaphie2002 2018-05-18T15:07:07Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403022#M169365 <P>Oh no the formatting is bad. the first requestID shows the start time while the second shows the end time. </P> <P>Thanks </P> Fri, 18 May 2018 15:08:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403022#M169365 kaphie2002 2018-05-18T15:08:49Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403023#M169366 <P>Strange. The host values should be mutually excluding for events from host request and images and there should've been just one row per RequestID. See if this variation works.</P> <PRE><CODE>(host=*request* c.m.p.t.ThumbnailProcessor) OR ( host=*images* Successfully rendered) | rex field=_raw ".*jpg.(?&lt;RequestID1&gt;.*).*\"code*" | rex field=_raw ".*images//(?&lt;RequestID2&gt;.*).jpg" | eval RequestID=coalesce(RequestID1,RequestID2) | eval Start=if(match(host,"request"),_time, null()) | eval End=if(match(host,"images"),_time, null()) | stats values(Start) as Start values(End) as End by RequestID | eval Duration=End-Start </CODE></PRE> Fri, 18 May 2018 15:41:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403023#M169366 somesoni2 2018-05-18T15:41:16Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403024#M169367 <P>There were spaces around the RequestID, I used the trim command to remove the spaces and it worked perfectly. Thanks a lot for your help!</P> <P>One last thing is there an easy way to group the duration in a bar chart? <BR /> For example I will like to group the requests by 5min spans i.e show the total number of requests that take 0-5 mins, 5-10 mins 10-15 mins etc. </P> Fri, 18 May 2018 18:35:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403024#M169367 kaphie2002 2018-05-18T18:35:53Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403025#M169368 <P>Sure. Just add this to your currently working search. Duration is right now showing in secs, so we'll convert it to minutes, then bin it in 5 min buckets and then a stats command.</P> <PRE><CODE>your current search | eval Duration=round(Duration/60) | bin span=5 Duration | stats count by Duration </CODE></PRE> Fri, 18 May 2018 18:43:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-start-and-end-time-from-two-different-searches/m-p/403025#M169368 somesoni2 2018-05-18T18:43:25Z