topic time delay in Splunk Search

time delay

chaitu99 — Fri, 22 Mar 2013 10:04:05 GMT

Hi,

10:27:xx.xxx Message 1
10:31:xx.xxx Message 1
10:35:xx.xxx Message 1
10:38:xx.xxx conf msg
10:82:xx.xxx Message 2
10:85:xx.xxx req xyz
10:87:xx.xxx Message 2
10:89:xx.xxx Message 2

i've sample log like this. here i need to find the delay(time difference) between Message 1 before "conf msg" and Message 2 immediate next to "req xyz" in a single event.

i used query like this and am not getting the expected result

transaction startswith=("Message 1") endswith=("Message 2")|search ("conf msg")|stats count perc95(duration) as VALUE

is there any logic to get the exact result?

Re: time delay

ShaneNewman — Fri, 22 Mar 2013 23:15:33 GMT

It would help to see the rest of the event to know what fields are available to create a mvlist. What I have done, similar to what you are wanting to do, is broken out the entire event into 5 or 6 fields, then group them by the field that is common to that transaction... Such as ip_address. This is much easier when you setup a transactiontypes.conf for the transaction you are looking to create.

Example of transaction from transactiontypes.conf:

[event_collection]
fields = ip_address
startswith ="Login"
endswith ="Submit"
mvlist = event_type, event_timestamp, ip_address, user_id

Hope this helps!