topic Re: Time Difference in the transaction in Splunk Search

Time Difference in the transaction

sanyonhhh — Tue, 08 Oct 2013 12:34:42 GMT

Below is a sample log, i want to find time difference. By this query
index=[search] | transaction startswith="A started" endswith="A completed"
i was able to find the rows from log.

2013-10-04T07:54:05 Component Log-level A Started

2013-10-04T07:54:09 Component Log-level A Completed

x-axis should be plotted with span=1d and y-axis plotted with time difference value. Please help me.

Re: Time Difference in the transaction

okrabbe_splunk — Tue, 08 Oct 2013 12:49:56 GMT

You would use timechart. Transaction already calculates the duration between start and end of a transaction.

index=[search] | transaction startswith="A started" endswith="A completed
| timechart span=1d avg(duration)

Re: Time Difference in the transaction

kristian_kolb — Tue, 08 Oct 2013 12:51:44 GMT

Perhaps a timechart is what you are looking for, for plotting the duration value over time for a certain transaction. duration is calculated automatically by the transaction command. See the example below, which works on standard apache web logs.

sourcetype=access_combined earliest=-1h clientip=10.1.1.1 
| transaction clientip maxspan=3m
| timechart span=1m first(duration) by clientip

Hope this helps,

Re: Time Difference in the transaction

sanyonhhh — Tue, 08 Oct 2013 14:07:20 GMT

How to get that transaction time difference...the query which u given gives only average... i need the difference between every transaction happened, it present in same event.

Re: Time Difference in the transaction

sanyonhhh — Tue, 08 Oct 2013 14:08:49 GMT

yes duration is calculated but i need time difference between start pattern and end pattern not all.

Re: Time Difference in the transaction

okrabbe_splunk — Tue, 08 Oct 2013 14:54:28 GMT

Well, anytime you bucket you need to aggregate the data in some way by either doing an average, max, min etc. If you just want to list them all you could do the following instead:

| chart last(duration) by _time

This is pretty close to what Kristian suggested below so I am not sure why you didn't like his answer?

Re: Time Difference in the transaction

kristian_kolb — Tue, 08 Oct 2013 15:22:27 GMT

duration IS the time difference between start pattern and end pattern, i.e. startswith and endswith, for EACH transaction. The sample log in your question would have a duration value of 4 (seconds), regardless of how many events there are IN the transaction.

Is there some other time difference you wish to calculate? Please provide more sample events, and a description of how you want it charted.

Re: Time Difference in the transaction

sowings — Tue, 08 Oct 2013 16:13:14 GMT

My reading is "I want every duration plotted, not first() or avg()".

Re: Time Difference in the transaction

dwaddle — Tue, 08 Oct 2013 18:06:55 GMT

If I understand what you are trying to say, you want a 24-hour chart with every transaction in that 24 hours and its respective duration. I think there is some confusion by your use of the phrase "span=1d" because that is commonly a search argument to timechart - which will have to do some statistical aggregation because that is all it knows.

An approach that you can use with limited data is something like this:

index=[search] earliest=@d latest=@d+1d
| transaction startswith="A started" endswith="A completed"
| table _time, duration

This produces chartable data that is 24 hours wide with every data point in the sample represented. BUT if you have more than a few hundred data points, it starts to fall apart fast. Example - on a 1600x1200 screen, even if the chart is full screen you only have enough room for about 1500 data points (assuming 1 pixel per data point).

When you have a large number of data points and you need a somewhat sensical graph, that is where doing timechart and aggregating over time ranges is essential. For example, over a 1 day search period take an average - or maximum or minimum or something - over a span=1m.

Re: Time Difference in the transaction

kristian_kolb — Tue, 08 Oct 2013 18:51:23 GMT

Maybe, I could have been more clear with that. Given the timespans in my example, there will be not be more than one transaction per timeslice, so it does not matter which avg(), min(), first() etc function is used.

Re: Time Difference in the transaction

sanyonhhh — Wed, 09 Oct 2013 11:54:01 GMT

Hi dwaddle,

E.g. query works fine when the log result like below,

2013-10-04T07:54:05 Component Log-level A Started
2013-10-04T07:54:09 Component Log-level A Completed

But it fails when it contains in-between lines, it aggregates all the lines time difference and giving it.

2013-10-04T07:54:05 Component Log-level A Started \ this is starts with content

2013-10-04T07:54:09 Component Log-level A Completed \ this is ends with content
I need time difference for start and end content excluding the time difference in-between lines.

Re: Time Difference in the transaction

kristian_kolb — Wed, 09 Oct 2013 12:37:43 GMT

duration is calculated as the time difference between the first and last event in a transaction, regardless of how many events are in the transaction.

I'm sorry, but perhaps you can give more sample data and explain why the durations you get are 'wrong'.