Splunk Search

time difference calculation

keshab
Path Finder

I have a log which says when session was created and destroyed. What search string should I use to calculate the length of session??

Tags (1)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

The transaction command is great for this, and works well as a general solution. However, for some purposes, you can accomplish the same thing more efficiently using stats. This may be a pretty good example of that - you're only dealing with two events. Something like:

INFO sessionid 
| rex "(Created|destroyed) sessionid: (?<sessionid>[^\s]+)" 
| stats min(_time) as begins, max(_time) as ends by sessionid
| eval duration=ends-begins

Some assumptions here include that you don't necessarily have sessionid extracted out as a field yet. If you do, you can skip the rex command. Also, it assumes that a single sessionid value is not reused within the search window and that both the beginning and ending of the session occur within the search window.

kristian_kolb
Ultra Champion

Hi there,

given your logs this is accomplished by;

<your search giving the sample events> | transaction sessionid | timechart avg(duration) 

Of course, you may want to change the charting options.

hope this helps,

Kristian

Ayn
Legend

Create a transaction and grab the length of the session from the field duration that will be automatically calculated for you.

If you have some unique identifier that is valid for each session you could use this to identify each session. For instance if a session can be identified by that the field session_id has a unique value, do:

... | transaction session_id

There are other ways of defining how transactions should be created as well, all covered in the manual: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

RicoSuave
Builder

Can you post a copy of the log? that would help me craft a search for you. Assuming that the session start time and session end times are being extracted as fields already and are in every event, the following should work. Essentially, you are going to have to use the eval command.

<yoursearch> | eval starttime=strftime(sessionstart, "%d:%H:%M:%S") | eval endtime=strftime(sessionend, "%d:%H:%M:%S") | eval session_duration=endtime-starttime

keshab
Path Finder

2011-11-09 03:48:41,545 [INFO ] Created sessionid: 8F164BD481ADB7322448A21FEAA0178D

2011-11-09 03:55:31,545 [INFO ] destroyed sessionid: 8F164BD481ADB7322448A21FEAA0178D

2011-11-09 04:18:41,545 [INFO ] Created sessionid: 8F164BD481ADB7322448A21FE3434DQA

2011-11-09 04:57:31,545 [INFO ] destroyed sessionid: 8F164BD481ADB7322448A21FE3434DQA

What I am trying to do is calculate the session length of each session and find the average of all the session and graph the average session on the chart.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...