Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to display a timefrime from two events ?

nicxso
Engager
‎03-16-2019 04:53 PM

Hey guys,

I have a question. I have this search:

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/") OR (http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")

| table host, vhost, audit_token, src_ip, session_id, time_request_total

This gives me two events. In the picture, down below, the first event contains the part "http_request_url="/portal/web/private-clients/"" value and the second event contains the (http_method="POST") value. Both have the same session id.

alt text

I would like to create a dashboard where it shows a time frame with the duration between this two events. The result of the duration should be 10 seconds.

Is there a way where you don't have to use the transaction command or is there any other way ? Kinda curious.

Thanks for your help

Preview file
11 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-16-2019 06:00 PM

@nicxso try the following search. (You can take out session_id="79626ba1b6e186c9011b4ae82dc724c0" from the main search once you are done testing).

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id
| search count>1
| eval duration=latestTime-_time
| where duration>10
| table host, vhost, audit_token, src_ip, session_id, time_request_total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-16-2019 06:00 PM

@nicxso try the following search. (You can take out session_id="79626ba1b6e186c9011b4ae82dc724c0" from the main search once you are done testing).

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id
| search count>1
| eval duration=latestTime-_time
| where duration>10
| table host, vhost, audit_token, src_ip, session_id, time_request_total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

nicxso
Engager
‎03-17-2019 03:54 AM

@niketnilay

Thanks, I will try it out the search later. I would also like to use the search to display a timeline, where the X-Axis is showing the time from this two events and on the Y-Axis the duration. How can I do that ? Could I just use the timechart command? How would the search look like ?

Thanks

0 Karma
Reply
Solved! Jump to solution

nicxso
Engager
‎03-17-2019 07:18 AM

@niketnilay Would it also be possible to use the timechart command ?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-17-2019 04:56 AM

@nicxso if you want to display the duration for events you can use Timeline Custom Visualization

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...