Archive
Highlighted

Subtract Search results

Explorer

New to splunk - Using version 4.2.3, build 105575

I need to figure out how to subtract the time between two events so as to get a duration. My current search looks like this -

id_numer | search "MsgNo=0" OR "Hang Up"

Which gives me results like -

1 12/29/09 9:34:17.934 AM 12/29
09:34:17.934 2-11150042> Hang Up

2 12/29/09 9:29:51.043 AM 12/29
09:29:51.043 2-11150042> RCV:
SessNo=111, MsgNo=0, NextExp=0

How do I subtract these two results so I can get the time answer to

{time of first result) - (time of second result) = total time taken

That is -

9:34:17.934 - 9:29:51.043 = ?

Thanks,

Tags (4)
Highlighted

Re: Subtract Search results

Motivator

Do these two events have a field in common? If so, you can use the transaction command to do all these calculations for you. It sounds like you have the id_number field in common. If that is the case, you can do something like the following:

[your search] | transaction id_number startswith="MsgNo=0" endswith="Hang Up"

this will give you the duration of the transaction in a field aptly named duration.

The transcations chapter in the docs is worth a read: http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Searchfortransactions

View solution in original post

Highlighted

Re: Subtract Search results

Explorer

Yes, the events have the id_number in common, but using the transaction command you describe returns 0 results.

Oddly, playing with the maxspan value (10m / 30m / 45m) gives results?

0 Karma
Highlighted

Re: Subtract Search results

Communicator

Maxspan finds all transactions which fit into the desired time constraint. It is useful when you can guarantee a maximum time between your starting and ending events, but not if you don't know the maximum possible time.

You might want to play with "startswith" and "endswith" some more; you could even take out the "startswith", then try with the query as | transaction id_number endswith="Hang Up" just to see if you get any results.

0 Karma
Highlighted

Re: Subtract Search results

Explorer

Thanks, eventually figured our the ideal setting was 20m

0 Karma
Highlighted

Re: Subtract Search results

Path Finder

Hey guys I have a follow up question similar to this ask. I'm familiar with how transaction work, but i'm having fits trying to find or calculate the difference between duration events. Transaction groups "like" events, then sums the time within that event grouping. Ok, enough of a rehash of the manual.

My question is this. has someone come up with a way to find the duration "between" the durations? Here is my result set i'm working with. The ask is how do I get a running total of the difference 1 and 2, then 3 and 4. Of course i'll want to display this in my chart as well:D
Here's what I have so far -

eio | rex "(?i)] [(?P[^\ ]+)\s+] [(?P[^\ ]+)" | transaction stateio startswith="issuedio=PauseIO" endswith="issuedio=ResumeIO" | eval durationstr=tostring(duration,"duration")| rename durationstr as "PauseIO Durations" | table"PauseIO Durations", _time

1 [requested ] [ResumeIO Live]
[completed ] [ResumeIO Live]
duration=18

2 [requested ] [PauseIO Live]
[completed ] [PauseIO Live]
duration=17

3 [requested ] [ResumeIO Live]
[completed ] [ResumeIO Live]
duration=18

4 [requested ] [PauseIO Live]
[completed ] [PauseIO Live]
duration=17

Thanks in advance.

0 Karma