topic Re: Time duration in Splunk Search

Time duration

chaitu99 — Fri, 22 Mar 2013 06:50:08 GMT

Hi,

03/22/2013 05:27:59.603 Message 1
03/22/2013 05:27:59.920 Message 1
03/22/2013 05:28:00.245 Message 1
03/22/2013 05:28:00.561 PROTOCOL 5
03/22/2013 05:28:00.876 Message
03/22/2013 05:28:01.202 FACTOR 6
03/22/2013 05:28:01.518 Message 9
03/22/2013 05:28:01.520 Message 9

I need duration between ("message 1" just before PROTOCOL 5) AND Message 9 just after FACTOR 6

but i have written query below like..

source="$SOURCE" |transaction startswith=("Message 1") endswith=("Message 9")|search ("PROTOCOL 5")|stats count perc95(duration) as VALUE

but that is not working because it is taking first message 1 timestamp value but i need just before PROTOCOL 5 message value.

Please let me know how to go ahead.

Re: Time duration

rechteklebe — Fri, 22 Mar 2013 07:36:12 GMT

Change the time frame to 05:28:00.245 - 05:28:01.518. Should work.

Re: Time duration

chaitu99 — Fri, 22 Mar 2013 08:44:58 GMT

actually here time stamps are not constant. main thing is we need to find the time difference as stated above.
could you please help us?

Re: Time duration

rechteklebe — Fri, 22 Mar 2013 10:13:11 GMT

You can also try using this:

source="$SOURCE" |transaction startswith=("05:28:00.245 Message 1") endswith=("05:28:01.518 Message 9")|search ("PROTOCOL 5")|stats count perc95(duration) as VALUE

I think your timestamp should also be available in the event itself..like this:

Splunk timestamp --> [timestamp, message]

Re: Time duration

chaitu99 — Mon, 25 Mar 2013 15:01:11 GMT

say there is no time stamp then how can we get the time difference?

is there any alternative to get time difference without that?

Re: Time duration

rechteklebe — Wed, 27 Mar 2013 14:17:52 GMT

I think it depends on the fields you defined in your environment. Are there any defined fields "startTime" "EndTime" or any other fields which could refer to each event?

Or is there no time fields and all fields are the same for message 1 e.g.?