Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create average time search?

aditsss
Motivator
‎07-25-2023 03:35 AM

Hi Team,

I am getting these two logs on daily basis:

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1

2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true

2023-07-18 08:04:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/17/2023, & version=1

2023-07-18 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true

I want to create one query where I can calculate average time between process start and complete 

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1

2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true

My current query is this :

index= "600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2"  source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log"

Can someone guide me how to move forward and create average query.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-28-2023 02:29 AM 
index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"
| timechart avg(duration) as duration span=1d
| eval duration=tostring(duration, "duration")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-25-2023 04:36 AM

As a guide, you could look at the transaction command

transaction - Splunk Documentation

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-25-2023 05:11 AM

@ITWhisperer 

Can you please suggest me with the query I am not able to find that if we take first time and last time how can we do that:

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1
 
2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true
 
How can we take first time and last time and can show average of the time.How to fetch time from these two logs and how can we create average time.
 
@ITWhisperer  could you please suggest
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-25-2023 05:49 AM

Use transaction starts with and ends with arguments to define the start and end of each transaction, then take an average of the durations of the transactions.

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-25-2023 06:27 AM

@ITWhisperer 

This two logs will appear on daily basis . Could you please help me the query  here:

How I can fetch time and then calculate average:

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1
 
2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-25-2023 06:37 AM

Based on my suggestion to use the transaction command, what have you tried so far?

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-25-2023 06:40 AM

@ITWhisperer 

Can you guide me how I can fetch the time from both logs:

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1
 
2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-25-2023 07:10 AM

The logs should already have a timestamp in the _time field - does this match the time you are looking for?

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-27-2023 02:26 AM

Hi @ITWhisperer 

I have created one query like this for Start time:                                                                                                                                 

index= "abc" sourcetype = "600000304_gg_abs_ipc2" " Started ASSOCIATION process for" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex "-\s+(?<message>.*)" | table message _time

I am getting below result:

message                                                                                                   _time

Started ASSOCIATION process for BusDt=07/19/2023, & version=12023-07-20 10:49:53.777
Started ASSOCIATION process for BusDt=07/20/2023, & version=12023-07-21 10:39:08.819
Started ASSOCIATION process for BusDt=07/21/2023, & version=1

2023-07-22 08:24:19.919

 

Second query I have created like this for END TIME :

index= "abc*" sourcetype = "600000304_gg_abs_ipc2" "Successfully completed ASSOCIATION process" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex "-\s+(?<message1>.*)" | table message1 _time

Getting below result:

Successfully completed ASSOCIATION process!! isAssociationBalanced?=true      2023-07-20 11:42:53.835
Successfully completed ASSOCIATION process!! isAssociationBalanced?=true      2023-07-21 11:29:00.247
Successfully completed ASSOCIATION process!! isAssociationBalanced?=true      2023-07-22 09:18:20.100

How can I create one single query to show the average time (START and END TIME) Average day wise:

START TIME FOR DAY 2023-07-20

  -message                                                                                                                                         _time
Started ASSOCIATION process for BusDt=07/19/2023, & version=1                  2023-07-20 10:49:53.777

END TIME FOR DAY 2023-07-20

Successfully completed ASSOCIATION process!! isAssociationBalanced?=true      2023-07-20 11:42:53.835

 

@ITWhisperer  Can you please guide me guide me.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-27-2023 03:28 AM

I am trying to guide you but you don't appear to be taking any notice - try using the transaction command

index= "abc" sourcetype = "600000304_gg_abs_ipc2"
| rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"

You might need a reverse command or perhaps switch the starts with and ends with strings

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-27-2023 05:09 AM

@ITWhisperer 

I tried this query but no result:

index= "abc*" sourcetype = "600000304_gg_abs_ipc2" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for BusDt" endswith="Successfully completed ASSOCIATION process" | table thread

Can you please guide.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-27-2023 08:28 AM

Where did table thread come from? What do you get without that?

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-27-2023 08:46 AM

Hi @ITWhisperer 

With the below query I am not getting any statistics:

index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"

I have attached the screenshot .

How can I calculate average time?

Splunk.PNG

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-27-2023 10:05 AM

One of the fields you probably get from transaction is duration. Try getting an average of this field.

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-27-2023 10:50 AM

@ITWhisperer 

How can I get the duration from these two loggers:

Started ASSOCIATION process for BusDt=07/25/2023, & version=1 - 2023-07-26 07:52:36.011

Successfully completed ASSOCIATION process!! isAssociationBalanced?=true - 2023-07-26 08:44:07.507

Please guide how I can use transaction command to get average.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-27-2023 10:58 AM 
ndex="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"
| stats avg(duration)
0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-27-2023 11:32 AM

@ITWhisperer 

Thanks the below query work but is it possible to show in hour/min/sec/ms  format currently its showing only in seconds.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-27-2023 02:44 PM 
index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"
| stats avg(duration) as duration
| eval duration=tostring(duration, "duration")
0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎07-27-2023 10:46 PM

@ITWhisperer 

If we want to see each day separately like for last 7 days each day separately should we use table then. 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-28-2023 02:29 AM 
index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"
| timechart avg(duration) as duration span=1d
| eval duration=tostring(duration, "duration")
0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top