topic Re: How to get time duration between two events INSIDE a transaction? in Splunk Search

How to get time duration between two events INSIDE a transaction?

InkerzBrad — Wed, 30 Sep 2015 08:01:23 GMT

Basically what the log looks like is as below:

User log in---
some trivial events---
User start a action ----
some trivial events---
User end a action ----
some trivial events---
User log out---

I managed to use transaction to extract the events between user log in and user log out, but what I need is to get the start time and end time of this action and the time duration between start and end.

Any help would be appreciated...

Re: How to get time duration between two events INSIDE a transaction?

somesoni2 — Wed, 30 Sep 2015 18:31:16 GMT

Can you provide some sample logs and current query?

Re: How to get time duration between two events INSIDE a transaction?

InkerzBrad — Tue, 29 Sep 2020 07:27:10 GMT

Yeah sure:
the log is like:

SessionID ConnectionID (both are fields extracted) ..user_auth..(plaint text inside log)
SessionID ConnectionID (both are fields extracted) ..user_action_start..(plaint text inside log)
SessionID ConnectionID (both are fields extracted) ..user_action_end..(plaint text inside log)
SessionID ConnectionID (both are fields extracted) ..user_signoff..(plaint text inside log)

and my current query is
*| transaction Session connectionID startswith="user_auth" endswith="user_signoff"

Re: How to get time duration between two events INSIDE a transaction?

woodcock — Thu, 01 Oct 2015 00:36:02 GMT

The transaction command creates a field called duration whose value is the difference between the timestamps for the first and last events in the transaction.

Re: How to get time duration between two events INSIDE a transaction?

InkerzBrad — Thu, 01 Oct 2015 00:43:19 GMT

Thanks, but I need the timestamps difference between two events that inside the transaction, not the first or the last. Any way I could do that?

Re: How to get time duration between two events INSIDE a transaction?

woodcock — Thu, 01 Oct 2015 00:55:43 GMT

Why not adjust the transaction to start and end with the events that you need for it to? Then you can use duration.

Re: How to get time duration between two events INSIDE a transaction?

InkerzBrad — Thu, 01 Oct 2015 01:17:18 GMT

because I need to make sure it happens inside the user's login session so that I can know some much time one user spent on this action.

Or maybe there's another way?

Re: How to get time duration between two events INSIDE a transaction?

somesoni2 — Tue, 29 Sep 2020 07:25:50 GMT

Well give this a try. Assuming you can extract the action performed by the events into a field (e.g. user_auth, user_action_start, user_action_end, user_signoff

* | rex "\suser_(?<Action>\w+)" | eval temp=mvzip(Action,"_time","#") | transaction Session connectionID startswith="user_auth" endswith="user_signoff"  | eval start=mvfilter(match(temp,"action_start")) | eval end=mvfilter(match(temp,"action_end")) | eval actionDuration=mvindex(split(end,"#"),1)-mvindex(split(start,"#"),1)

Re: How to get time duration between two events INSIDE a transaction?

InkerzBrad — Thu, 01 Oct 2015 04:14:30 GMT

Thanks, in the last statement which is actionDuration=mvindex(split(end,"#"),1)-mvindex(split(start,"#"),1), it says '-' only takes number, which _time is apparently not. How could I solve it?

Re: How to get time duration between two events INSIDE a transaction?

InkerzBrad — Thu, 01 Oct 2015 05:10:54 GMT

It does the job!!

Re: How to get time duration between two events INSIDE a transaction?

somesoni2 — Thu, 01 Oct 2015 17:38:12 GMT

The mvindex is returning string, so need to convert to number. Try this

....| eval actionDuration=tonumber(mvindex(split(end,"#"),1))-tonumber(mvindex(split(start,"#"),1))