Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate Transaction Time?

jayvrod
Explorer
‎08-18-2010 04:02 PM 
08/17/10,0:15:02,start   load_updates.sh 9.3
08/17/10,0:20:04,start   load_updates.sh 9.3
08/17/10,0:25:02,start   load_updates.sh 9.3
08/17/10,0:30:06,start   load_updates.sh 9.3
08/17/10,0:35:09,start   load_updates.sh 9.3
08/17/10,0:38:02,finish  load_updates.sh 9.3  status 0
08/17/10,0:40:02,start   load_updates.sh 9.3
08/17/10,0:45:09,start   load_updates.sh 9.3
08/17/10,0:49:03,finish  load_updates.sh 9.3  status 0

I would like to see a time difference example how long between the first start to finish? In other words how long did it take to load? The extra starts are the shell script trying to start again but fails due to a lock file.

Tags (1)
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-18-2010 04:56 PM

Assuming that you want the time from the first start to the first finish line, and in this sample there are two separate times, you should use the transaction command. For example:

source=txnlog | transaction source endswith=finish

This will assemble the data into transactions with a duration field that represents the difference between start and finish times.

Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-18-2010 08:03 PM

You want something like: source=txnlog earliest=-24h | transaction source endswith=finish | timechart span=1h sum(duration) count

0 Karma
Reply

jayvrod
Explorer
‎08-18-2010 06:30 PM

Thanks
but my result is
8/12/10 12:00:00.000 AM 158.523810
My goal is to see during the day how long for each start - finish combo is it taking to load, in Time. aka at 7am load_updates ran 5 times and it took 2 minutes each time.

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-18-2010 05:38 PM

Just add | timechart avg(duration) to the search. You can pick another aggregation function like median or max if you prefer. You can also add "count" to the timechart to see how many transactions you had.

0 Karma
Reply

jayvrod
Explorer
‎08-18-2010 05:18 PM

Thanks
That helped but Now I get this
How do I graph the time?

For some reason my Far Left Column only shows Hour and Minute seconds is 00.000 PM

8/17/10
3:02:00.000 PM

08/17/10,0:15:02,start load_updates.sh 9.3
08/17/10,0:20:04,start load_updates.sh 9.3
08/17/10,0:25:02,start load_updates.sh 9.3
08/17/10,0:30:06,start load_updates.sh 9.3
08/17/10,0:35:09,start load_updates.sh 9.3
08/17/10,0:38:02,finish load_updates.sh 9.3 status 0
date_hour=15 Options| date_hour=20 Options| date_mday=17 Options| date_minute=2 Options| date_minute=4 Options

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...