All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find differences between timestamps for all transactions

mosierg
New Member
‎07-15-2014 09:15 AM

Every line of the log file has a transaction id, a time stamp, and a message. It is intended to show a trace of all transactions. I'd like to modify the query below to show the differences between timestamps at all points and possibly highlight the largest differences per transaction.

The query I currently have is
| sort time ASC | stats list(time) , list(message) by id | sort id

0 Karma
Reply

somesoni2
Revered Legend
‎07-15-2014 09:24 AM

Try this

your base search  | sort 0 time | streamstats current=f window=1 last(time) as prevTime by id | eval duration=time-prevTime | eventstats max(duration) as MaxDur by id | eval duration=if(duration=MaxDur,"**".tostring(duration),duration)  | stats list(time) , list(duration) , list(message) by id
0 Karma
Reply

somesoni2
Revered Legend
‎07-17-2014 10:47 AM

Start with you base search and try adding pieces one by one and see which part of the search is breaking things/not working as expected. This works fine with similar data I have.

0 Karma
Reply

mosierg
New Member
‎07-17-2014 09:39 AM

Any ideas why this query isn't working?

0 Karma
Reply

mosierg
New Member
‎07-15-2014 11:06 AM

Data is being returned but it is just some of the lines of the log files

0 Karma
Reply

somesoni2
Revered Legend
‎07-15-2014 09:47 AM

Can you validate if data is being returned before the stats command?

0 Karma
Reply

mosierg
New Member
‎07-15-2014 09:41 AM

The variable names look right but now it isn't showing anything for duration.

0 Karma
Reply

somesoni2
Revered Legend
‎07-15-2014 09:35 AM

Just fixed one type in the eval. Try the updated search. Also, check the variable names (time/id/message).

0 Karma
Reply

mosierg
New Member
‎07-15-2014 09:27 AM

When I run that query, I'm returned all 0s for duration

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...