All Apps and Add-ons

Find differences between timestamps for all transactions

mosierg
New Member

Every line of the log file has a transaction id, a time stamp, and a message. It is intended to show a trace of all transactions. I'd like to modify the query below to show the differences between timestamps at all points and possibly highlight the largest differences per transaction.

The query I currently have is
| sort time ASC | stats list(time) , list(message) by id | sort id

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

your base search  | sort 0 time | streamstats current=f window=1 last(time) as prevTime by id | eval duration=time-prevTime | eventstats max(duration) as MaxDur by id | eval duration=if(duration=MaxDur,"**".tostring(duration),duration)  | stats list(time) , list(duration) , list(message) by id 
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Start with you base search and try adding pieces one by one and see which part of the search is breaking things/not working as expected. This works fine with similar data I have.

0 Karma

mosierg
New Member

Any ideas why this query isn't working?

0 Karma

mosierg
New Member

Data is being returned but it is just some of the lines of the log files

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you validate if data is being returned before the stats command?

0 Karma

mosierg
New Member

The variable names look right but now it isn't showing anything for duration.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Just fixed one type in the eval. Try the updated search. Also, check the variable names (time/id/message).

0 Karma

mosierg
New Member

When I run that query, I'm returned all 0s for duration

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...