https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69910#M180579 <P>search source="your files" | reverse | transaction TransactionID | eval TimeTaken=_duration | fields _time, TransactionID, TimeTaken | sort _time, TransactionID?</P> <P>Will that join the events as needed on TransactionID and then zoom in on the fields you need ?</P> <P>If not I'm possibly not understanding your requirements fully</P> <P>I've just recently used transaction and also delta to help get end to end timings for events</P> <P>In one case I resorted to using delta because I could not get the events into Splunk exactly right</P> <P>Otherwise I think transaction is simpler</P> Sun, 22 Sep 2013 13:30:05 GMT miken_hg5 2013-09-22T13:30:05Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69907#M180576 <P>2013-09-20 16:53:04,723 INFO[Thread-3]EndTime=20/09/2013 16:53:04 TransactionID=A, Event=completed, Result=sent<BR /> 2013-09-20 16:52:04,723 INFO[Thread-3]StartTime=20/09/2013 16:52:04 TransactionID=A, Event=start_process</P> <P>If i need to calculate the total time for the above transaction (time taken of event=start_process - time taken for event=completed), how to go abt doing it?</P> Sun, 22 Sep 2013 12:31:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69907#M180576 thinksplunk 2013-09-22T12:31:50Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69908#M180577 <P>Could this be done using the | reverse | transaction TransactionId?</P> <P>The reverse should ensure that the start_process is listed before completed</P> <P>The transaction will join separate events into one combined event = a transaction<BR /> - and every unique value of TranscationID results in multiple transactions</P> <P>Splunk will automatically create a new field = _duration for you which is the difference between first and last event in the combined event.</P> <P>So you don't need to even do a time difference between the fields yourself</P> <P>nb: I note that the date and times for the events are identical in your quoted example - if there is no difference in log time NOR in the event details themselves, sadly _duration may prove to be 0?</P> Sun, 22 Sep 2013 13:02:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69908#M180577 miken_hg5 2013-09-22T13:02:51Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69909#M180578 <P>what i meant is that i want to have the below resulst for above lines of event based on event=start_process - event=completed for every transaction.</P> <P>TransactionID Time taken (1sec)<BR /> A 60<BR /> B 90<BR /> C 20 ...<BR /> etc</P> Sun, 22 Sep 2013 13:15:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69909#M180578 thinksplunk 2013-09-22T13:15:56Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69910#M180579 <P>search source="your files" | reverse | transaction TransactionID | eval TimeTaken=_duration | fields _time, TransactionID, TimeTaken | sort _time, TransactionID?</P> <P>Will that join the events as needed on TransactionID and then zoom in on the fields you need ?</P> <P>If not I'm possibly not understanding your requirements fully</P> <P>I've just recently used transaction and also delta to help get end to end timings for events</P> <P>In one case I resorted to using delta because I could not get the events into Splunk exactly right</P> <P>Otherwise I think transaction is simpler</P> Sun, 22 Sep 2013 13:30:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69910#M180579 miken_hg5 2013-09-22T13:30:05Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69911#M180580 <P>The transaction command creates a field called duration. In seconds. Done.</P> Sun, 22 Sep 2013 14:00:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69911#M180580 sowings 2013-09-22T14:00:19Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69912#M180581 <P>No need to <CODE>reverse</CODE>. Splunk will sort out the transaction anyway, as long as you're within reasonable limits regarding total transaction length and max time between events.</P> <P>see the docs for <CODE>transaction</CODE>.</P> Sun, 22 Sep 2013 17:59:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69912#M180581 kristian_kolb 2013-09-22T17:59:28Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69913#M180582 <P>as sowings points out, the transaction command will compute the duration for you, automatically. If you have <EM>very</EM> long transactions, you might be better off performance wise with <CODE>stats</CODE>;</P> <P><CODE>...| stats min(_time) as min_t max(_time) as max_t by TranasactionID | eval dur = max_t - min_t</CODE></P> Sun, 22 Sep 2013 18:02:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69913#M180582 kristian_kolb 2013-09-22T18:02:04Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69914#M180583 <P>Just a comment: "|reverse" is overkill here. Transaction understands that it should be in time order.</P> Mon, 23 Sep 2013 12:25:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-total-time-taken-for-each-transaction/m-p/69914#M180583 sowings 2013-09-23T12:25:59Z