Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display a timefrime from two events ?

nicxso
Engager
‎03-16-2019 04:53 PM

Hey guys,

I have a question. I have this search:

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/") OR (http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")

| table host, vhost, audit_token, src_ip, session_id, time_request_total

This gives me two events. In the picture, down below, the first event contains the part "http_request_url="/portal/web/private-clients/"" value and the second event contains the (http_method="POST") value. Both have the same session id.

alt text

I would like to create a dashboard where it shows a time frame with the duration between this two events. The result of the duration should be 10 seconds.

Is there a way where you don't have to use the transaction command or is there any other way ? Kinda curious.

Thanks for your help

Preview file
11 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-16-2019 06:00 PM

@nicxso try the following search. (You can take out session_id="79626ba1b6e186c9011b4ae82dc724c0" from the main search once you are done testing).

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id
| search count>1
| eval duration=latestTime-_time
| where duration>10
| table host, vhost, audit_token, src_ip, session_id, time_request_total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-16-2019 06:00 PM

@nicxso try the following search. (You can take out session_id="79626ba1b6e186c9011b4ae82dc724c0" from the main search once you are done testing).

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id
| search count>1
| eval duration=latestTime-_time
| where duration>10
| table host, vhost, audit_token, src_ip, session_id, time_request_total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

nicxso
Engager
‎03-17-2019 03:54 AM

@niketnilay

Thanks, I will try it out the search later. I would also like to use the search to display a timeline, where the X-Axis is showing the time from this two events and on the Y-Axis the duration. How can I do that ? Could I just use the timechart command? How would the search look like ?

Thanks

0 Karma
Reply
Solved! Jump to solution

nicxso
Engager
‎03-17-2019 07:18 AM

@niketnilay Would it also be possible to use the timechart command ?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-17-2019 04:56 AM

@nicxso if you want to display the duration for events you can use Timeline Custom Visualization

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...