Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Form Help >>

rakesh_498115
Motivator
‎01-18-2013 10:26 AM

Hi..

I need a requirement like this .for every transcation in my logs i have a uniqueid .i.e for both request and response transformation .

say request event will be some thing like this.

2012-12-23:10:50:33 unique-id =100 OrderId=34 Request Order #############
....
.
..

response event will be some thing like this

2012-12-23:12:50:33 unique-id =100 OrderId=34 Order Acknowledged #############
....
.
..

So Now My requiremnent , for a particular period selected by the user , i need to know which all are the order requests came and processed with more then 2 hrs time .So for example if the user selects 3pm - 4pm , i need to know how many orders processed i.e nothing but how many orderIds are there which are processed with the processing time of more then 2 hrs.I need this list to shown as the ouput of the form ??

As of now , i have wrote two queries to find the orders which are taking more then 2 hrs.

Query 1 :

ran for the period 3pm - 4pm
sourcetype="orderdata" | dedup OrderId | table OrderId | ouputlookup OrderId.csv

This query is giving me the list of orders in tat time.
Now to check each order whether it is processed more then 2 hrs . i have written one more search..

ran for alltime or period more then above one.

sourcetype="orderdata" ("Request Order" OR "Order Acknowleged" ) | stats earliest(_time) as earliest latest(_time) as latest | eval duration=latest-earliest | where duration > 7200 | dedup OrderId | table OrderId

Which is giving me the list of Orders that are processed more then 2 hrs...

Now please help how can i put them in a search form ?? or is there any better way to refine my search as single query ?? Please help..

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-19-2013 09:00 AM

Going by your requirement, I assume you want to see transactions started in a particular time frame that took longer than a certain duration with the end potentially outside the selected time frame?

Here's a thought, untested and in pseudosplunk:

sourcetype, host, and whatever (eventtype=req OR eventtype=ack) | transaction unique-id | where duration > two hours | where start time is in your time frame
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-20-2013 04:49 AM

The start time is in the combined event for the transaction, you can do comparisons on that in the final where using regular compare operators. For example, if you wanted to look at events starting today from midnight to 4am you'd do something like this:

... | where _time >= relative_time(now(), "@d") AND _time <= relative_time(now(), "@d4h")
0 Karma
Reply

rakesh_498115
Motivator
‎01-19-2013 10:13 AM

in the above query can you pls tell how can i give longer time ..i.e where start time condition..can you pls give the exact query..

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...