Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculate meantime among requests based on timestamp

wagnerbianchi
Splunk Employee
Splunk Employee
‎06-10-2013 06:38 AM

Hello Folks,

This time I would like to have the difference between two timestamps, but, considering all the logs in the apache access log file. So, going through the details, I have an apache access log which is giving me the following:

0.2.1.44 - - [10/Jun/2013 13:39:03:104] "GET /cart.do?action=purchase&itemId=EST-13&product_id=K9-CW-01&JSESSIONID=SD8SL1FF5ADFF1 HTTP 1.1" 503 879 "http://shop.gourmet-shop.com/cart.do?action=purchase&itemId=EST-13&product_id=K9-CW-01" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 

101 1.178.233.243 - - [10/Jun/2013 13:34:04:151] "GET /oldlink?item_id=EST-12&JSESSIONID=SD10SL3FF4ADFF2 HTTP 1.1" 200 1312 "http://shop.gourmet-shop.com/category.screen?category_id=BAKING" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 147

My _time field is working well. My intention is to dynamically have the difference between/among timestamps...

 search ... (10/Jun/2013 13:34:04:151 - 10/Jun/2013 13:39:03:104)

Do you guys can help with that?

Thanks a lot.

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-11-2013 12:44 AM

This is some data from the AppMgmt demo app, right. What is it that you want to do? Transactions based off IP or JSESSIONID? Neither will work well, as this is generated test data. If you want to play with it anyway, see the link below from @dwaddle.

If you just want to see the difference between events for some numerical field, e.g. _time, status, bytes, time_taken, then you could look at the delta command.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎06-10-2013 08:41 AM

This sounds roughly like a transaction.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouttransactions

When you define a transaction, Splunk will automatically compute duration which is the amount of time between the first and last event in the transaction.

Also, read Chap 7 of Carasso's book, http://www.splunk.com/goto/book

0 Karma
Reply

Ayn
Legend
‎06-10-2013 07:44 AM

Which two events are you looking to get the time difference between? How can they be identified?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...