topic Re: Subtract Search results in Splunk Search

Subtract Search results

lokival — Sun, 21 Aug 2011 03:07:47 GMT

New to splunk - Using version 4.2.3, build 105575

I need to figure out how to subtract the time between two events so as to get a duration. My current search looks like this -

id_numer | search "MsgNo=0" OR "Hang Up"

Which gives me results like -

1 12/29/09 9:34:17.934 AM 12/29
09:34:17.934 2-11150042> Hang Up

2 12/29/09 9:29:51.043 AM 12/29
09:29:51.043 2-11150042> RCV:
SessNo=111, MsgNo=0, NextExp=0

How do I subtract these two results so I can get the time answer to

{time of first result) - (time of second result) = total time taken

That is -

9:34:17.934 - 9:29:51.043 = ?

Thanks,

Re: Subtract Search results

ftk — Sun, 21 Aug 2011 03:49:52 GMT

Do these two events have a field in common? If so, you can use the transaction command to do all these calculations for you. It sounds like you have the id_number field in common. If that is the case, you can do something like the following:

[your search] | transaction id_number startswith="MsgNo=0" endswith="Hang Up"

this will give you the duration of the transaction in a field aptly named duration.

The transcations chapter in the docs is worth a read: http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Searchfortransactions

Re: Subtract Search results

lokival — Fri, 26 Aug 2011 18:18:42 GMT

Yes, the events have the id_number in common, but using the transaction command you describe returns 0 results.

Oddly, playing with the maxspan value (10m / 30m / 45m) gives results?

Re: Subtract Search results

acdevlin — Fri, 26 Aug 2011 18:34:06 GMT

Maxspan finds all transactions which fit into the desired time constraint. It is useful when you can guarantee a maximum time between your starting and ending events, but not if you don't know the maximum possible time.

You might want to play with "startswith" and "endswith" some more; you could even take out the "startswith", then try with the query as | transaction id_number endswith="Hang Up" just to see if you get any results.

Re: Subtract Search results

lokival — Fri, 16 Dec 2011 16:05:41 GMT

Thanks, eventually figured our the ideal setting was 20m

Re: Subtract Search results

deeboh — Mon, 16 Apr 2012 23:00:03 GMT

Hey guys I have a follow up question similar to this ask. I'm familiar with how transaction work, but i'm having fits trying to find or calculate the difference between duration events. Transaction groups "like" events, then sums the time within that event grouping. Ok, enough of a rehash of the manual.

My question is this. has someone come up with a way to find the duration "between" the durations? Here is my result set i'm working with. The ask is how do I get a running total of the difference 1 and 2, then 3 and 4. Of course i'll want to display this in my chart as well:D
Here's what I have so far -

1 [requested ] [ResumeIO Live]
[completed ] [ResumeIO Live]
duration=18

2 [requested ] [PauseIO Live]
[completed ] [PauseIO Live]
duration=17

3 [requested ] [ResumeIO Live]
[completed ] [ResumeIO Live]
duration=18

4 [requested ] [PauseIO Live]
[completed ] [PauseIO Live]
duration=17

Thanks in advance.