topic Re: time difference calculation in Splunk Search

time difference calculation

keshab — Tue, 08 Nov 2011 21:18:03 GMT

I have a log which says when session was created and destroyed. What search string should I use to calculate the length of session??

Re: time difference calculation

RicoSuave — Tue, 08 Nov 2011 21:43:36 GMT

Can you post a copy of the log? that would help me craft a search for you. Assuming that the session start time and session end times are being extracted as fields already and are in every event, the following should work. Essentially, you are going to have to use the eval command.

<yoursearch> | eval starttime=strftime(sessionstart, "%d:%H:%M:%S") | eval endtime=strftime(sessionend, "%d:%H:%M:%S") | eval session_duration=endtime-starttime

Re: time difference calculation

Ayn — Tue, 08 Nov 2011 21:50:22 GMT

Create a transaction and grab the length of the session from the field duration that will be automatically calculated for you.

If you have some unique identifier that is valid for each session you could use this to identify each session. For instance if a session can be identified by that the field session_id has a unique value, do:

... | transaction session_id

There are other ways of defining how transactions should be created as well, all covered in the manual: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

Re: time difference calculation

keshab — Wed, 09 Nov 2011 15:11:11 GMT

2011-11-09 03:48:41,545 [INFO ] Created sessionid: 8F164BD481ADB7322448A21FEAA0178D

2011-11-09 03:55:31,545 [INFO ] destroyed sessionid: 8F164BD481ADB7322448A21FEAA0178D

2011-11-09 04:18:41,545 [INFO ] Created sessionid: 8F164BD481ADB7322448A21FE3434DQA

2011-11-09 04:57:31,545 [INFO ] destroyed sessionid: 8F164BD481ADB7322448A21FE3434DQA

What I am trying to do is calculate the session length of each session and find the average of all the session and graph the average session on the chart.

Re: time difference calculation

kristian_kolb — Wed, 09 Nov 2011 20:14:06 GMT

Hi there,

given your logs this is accomplished by;

<your search giving the sample events> | transaction sessionid | timechart avg(duration)

Of course, you may want to change the charting options.

hope this helps,

Kristian

Re: time difference calculation

dwaddle — Wed, 16 Nov 2011 13:10:46 GMT

The transaction command is great for this, and works well as a general solution. However, for some purposes, you can accomplish the same thing more efficiently using stats. This may be a pretty good example of that - you're only dealing with two events. Something like:

INFO sessionid 
| rex "(Created|destroyed) sessionid: (?<sessionid>[^\s]+)" 
| stats min(_time) as begins, max(_time) as ends by sessionid
| eval duration=ends-begins

Some assumptions here include that you don't necessarily have sessionid extracted out as a field yet. If you do, you can skip the rex command. Also, it assumes that a single sessionid value is not reused within the search window and that both the beginning and ending of the session occur within the search window.