Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Archive

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

lokival

Explorer

08-20-2011
08:07 PM

New to splunk - Using version 4.2.3, build 105575

I need to figure out how to subtract the time between two events so as to get a duration. My current search looks like this -

```
id_numer | search "MsgNo=0" OR "Hang Up"
```

Which gives me results like -

1 12/29/09 9:34:17.934 AM 12/29

09:34:17.934 2-11150042> Hang Up2 12/29/09 9:29:51.043 AM 12/29

09:29:51.043 2-11150042> RCV:

SessNo=111, MsgNo=0, NextExp=0

How do I subtract these two results so I can get the time answer to

{time of first result) - (time of second result) = total time taken

That is -

9:34:17.934 - 9:29:51.043 = ?

Thanks,

1 Solution

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

ftk

Motivator

08-20-2011
08:49 PM

Do these two events have a field in common? If so, you can use the transaction command to do all these calculations for you. It sounds like you have the id_number field in common. If that is the case, you can do something like the following:

```
[your search] | transaction id_number startswith="MsgNo=0" endswith="Hang Up"
```

this will give you the duration of the transaction in a field aptly named duration.

The transcations chapter in the docs is worth a read: http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Searchfortransactions

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Subtract Search results

lokival

Explorer

08-26-2011
11:18 AM

Yes, the events have the id_number in common, but using the transaction command you describe returns 0 results.

Oddly, playing with the maxspan value (10m / 30m / 45m) gives results?

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Subtract Search results

acdevlin

Communicator

08-26-2011
11:34 AM

Maxspan finds all transactions which fit into the desired time constraint. It is useful when you can guarantee a maximum time between your starting and ending events, but not if you don't know the maximum possible time.

You might want to play with "startswith" and "endswith" some more; you could even take out the "startswith", then try with the query as `| transaction id_number endswith="Hang Up"`

just to see if you get any results.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Subtract Search results

lokival

Explorer

12-16-2011
08:05 AM

Thanks, eventually figured our the ideal setting was 20m

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Subtract Search results

deeboh

Path Finder

04-16-2012
04:00 PM

Hey guys I have a follow up question similar to this ask. I'm familiar with how transaction work, but i'm having fits trying to find or calculate the difference between duration events. Transaction groups "like" events, then sums the time within that event grouping. Ok, enough of a rehash of the manual.

My question is this. has someone come up with a way to find the duration "between" the durations? Here is my result set i'm working with. The ask is how do I get a running total of the difference 1 and 2, then 3 and 4. Of course i'll want to display this in my chart as well:D

Here's what I have so far -

*eio* | rex "(?i)] [(?P

1 [requested ] [ResumeIO Live]

[completed ] [ResumeIO Live]

duration=18

2 [requested ] [PauseIO Live]

[completed ] [PauseIO Live]

duration=17

3 [requested ] [ResumeIO Live]

[completed ] [ResumeIO Live]

duration=18

4 [requested ] [PauseIO Live]

[completed ] [PauseIO Live]

duration=17

Thanks in advance.