https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-show-the-time-between-REQ-and/m-p/217243#M63815 <P>Hi,</P> <P>Anyone, please help me. I need to find out the time between REQ and ACK by using the (TS:1478717835696) and Data Collection Node (DCN). But am trying to find out by using the transaction command but i haven't get the exact results.</P> <P>My code is like this and also i need to find out the outcome status.</P> <PRE><CODE>2016-11-09 12:57:18,855 VendorAdjudicationModule ERROR CorrelationID=2469bae9-fe14-4e67-b345-95d652f4a868 -[DCN xxxxxxxxxxxxxxx-SL:5-TS:1478717835696]: Group=000142003,Section=0001,PlanID=7154,State=TX1,ClaimType=0,VendorName=CVP,InvocationType=REQ 2016-11-09 12:57:18,855 VendorAdjudicationModule ERROR CorrelationID=2469bae9-fe14-4e67-b345-95d652f4a868 -[DCN xxxxxxxxxxxxxxx-SL:5-TS:1478717835796]: Group=000142003,Section=0001,PlanID=7154,State=TX1,ClaimType=0,VendorName=CVP,InvocationType=ACK,Outcome=SUCCESS 2016-11-09 12:57:18,855 VendorAdjudicationModule ERROR CorrelationID=2469bae9-fe14-4e67-b345-95d652f4a868 -[DCN xxxxxxxxxxxxxxx-SL:5-TS:1478717835800]: Group=000142003,Section=0001,PlanID=7154,State=TX1,ClaimType=0,VendorName=CVP,InvocationType=RSP,Segment =100 </CODE></PRE> <P>Anyone, please help me.</P> <P>Thanks.</P> Fri, 11 Nov 2016 01:09:13 GMT prashanthberam 2016-11-11T01:09:13Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-show-the-time-between-REQ-and/m-p/217243#M63815 <P>Hi,</P> <P>Anyone, please help me. I need to find out the time between REQ and ACK by using the (TS:1478717835696) and Data Collection Node (DCN). But am trying to find out by using the transaction command but i haven't get the exact results.</P> <P>My code is like this and also i need to find out the outcome status.</P> <PRE><CODE>2016-11-09 12:57:18,855 VendorAdjudicationModule ERROR CorrelationID=2469bae9-fe14-4e67-b345-95d652f4a868 -[DCN xxxxxxxxxxxxxxx-SL:5-TS:1478717835696]: Group=000142003,Section=0001,PlanID=7154,State=TX1,ClaimType=0,VendorName=CVP,InvocationType=REQ 2016-11-09 12:57:18,855 VendorAdjudicationModule ERROR CorrelationID=2469bae9-fe14-4e67-b345-95d652f4a868 -[DCN xxxxxxxxxxxxxxx-SL:5-TS:1478717835796]: Group=000142003,Section=0001,PlanID=7154,State=TX1,ClaimType=0,VendorName=CVP,InvocationType=ACK,Outcome=SUCCESS 2016-11-09 12:57:18,855 VendorAdjudicationModule ERROR CorrelationID=2469bae9-fe14-4e67-b345-95d652f4a868 -[DCN xxxxxxxxxxxxxxx-SL:5-TS:1478717835800]: Group=000142003,Section=0001,PlanID=7154,State=TX1,ClaimType=0,VendorName=CVP,InvocationType=RSP,Segment =100 </CODE></PRE> <P>Anyone, please help me.</P> <P>Thanks.</P> Fri, 11 Nov 2016 01:09:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-show-the-time-between-REQ-and/m-p/217243#M63815 prashanthberam 2016-11-11T01:09:13Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-show-the-time-between-REQ-and/m-p/217244#M63816 <P>If TS and DCN can uniquely identify one session (transaction) then can you try this:</P> <PRE><CODE>index=yourIndex sourcetype=yourSourcetype "InvocationType=REQ" "InvocationType=ACK" | rex field=_raw "\-\[(?&lt;dcn&gt;[^\-]+)\-(?&lt;ts&gt;[^\]]+)\]" | transaction ts, dcn | table dcn, ts, duration </CODE></PRE> <P>This assumes all your timestamps are of same format. If they are of different format then probably it will require formatting first and then transaction command.</P> Fri, 11 Nov 2016 06:31:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-show-the-time-between-REQ-and/m-p/217244#M63816 gokadroid 2016-11-11T06:31:56Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-show-the-time-between-REQ-and/m-p/217245#M63817 <P>Thanks it works perfectly....</P> Fri, 11 Nov 2016 18:47:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-show-the-time-between-REQ-and/m-p/217245#M63817 prashanthberam 2016-11-11T18:47:27Z