Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can anyone help me with a query that detects when a page takes longer than 30 seconds to load?

satyaallaparthi
Communicator
‎03-01-2019 11:14 AM

Can anyone help me with a query that detects when a page takes longer than 30 seconds to load? I got URL extraction, and I want to know how to get startTime and endTime into results to get duration from that event, which is in JSON format.

{"Name":"url","Value":"\"/Services/****/*******-Services-DynamicMenuService/GetMenuForOutlet\""}{"Name":"duration","Value":"574"},{"Name":"logSource","Value":"\"HttpInterceptor\""},{"Name":"result","Value":"\"failed\""},{"Name":"startTime","Value":"\"2019-03-01T19:07:30.368Z\""},{"Name":"endTime","Value":"\"2019-03-01T19:07:30.942Z\""},{"Name":"createDate","Value":"\"2019-03-01T19:07:30.942Z\""},{"Name":"body","Value":"\"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-01-2019 11:54 AM

Try this:

| your search
| rex "startTime\",\"Value\":\"\\"(?<startTime>[\d\-T:\.Z]*).*?endTime\",\"Value\":\"\\"(?<endTime>[\d\-T:\.Z]*)"
|eval start = strptime(startTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
|eval end = strptime(endTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
| eval duration = end - start
| search duration > 30

All the best

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-01-2019 02:21 PM

Give this a try

your base search
| rex "startTime[^\:]+\:[^\d]+(?<startTime>[^Z]+Z).+?endTime[^\:]+\:[^\d]+(?<endTime>[^Z]+Z)"
|eval startTime= strptime(startTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
 |eval endTime= strptime(endTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
 | eval duration = endTime-startTime
| table duration
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-01-2019 12:03 PM

How are you extracting field url? You should be able to use the same method to extract startTime and endTime fields (regex will be updated of course). Then you can use strptime function to convert string formatted date to epoch to calculate duration/response time.
https://answers.splunk.com/answers/454902/how-to-calculate-the-duration-of-a-single-event.html

0 Karma
Reply
Solved! Jump to solution

satyaallaparthi
Communicator
‎03-01-2019 01:47 PM

If am extracting duration from IFX.. its not extracting for all events properly.. we need startTime and endTime but I can't able to extract those.

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-01-2019 11:54 AM

Try this:

| your search
| rex "startTime\",\"Value\":\"\\"(?<startTime>[\d\-T:\.Z]*).*?endTime\",\"Value\":\"\\"(?<endTime>[\d\-T:\.Z]*)"
|eval start = strptime(startTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
|eval end = strptime(endTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
| eval duration = end - start
| search duration > 30

All the best

0 Karma
Reply
Solved! Jump to solution

satyaallaparthi
Communicator
‎03-01-2019 12:14 PM

Error in 'rex' command: Encountered the following error while compiling the regex 'startTime","Value":"\"(?[^]).?endTime","Value":"\"(?[^]*)': Regex: missing terminating ] for character class.

The search job has failed due to an error. You may be able view the job in the Job Inspector.

getting the above error and not allowing me to go further.

Thanks!

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-01-2019 12:20 PM

I have updated my answer. Can you give it another try?

0 Karma
Reply
Solved! Jump to solution

satyaallaparthi
Communicator
‎03-01-2019 12:32 PM

Error in 'SearchParser': Missing a search command before '\'. Error at position '142' of search query 'search index=* sourcetype="mysrctpe"..{snipped} {errorcontext = tartTime>[\d-T:.Z]*}'.

again error

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-01-2019 12:46 PM

OK this one should work:

your search
| rex "startTime\",\"Value\":\"\\\"(?<startTime>[\d\-T:\.Z]*).*?endTime\",\"Value\":\"\\\"(?<endTime>[\d\-T:\.Z]*)"
 |eval start = strptime(startTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
 |eval end = strptime(endTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
 | eval duration = end - start
 | search duration > 30
0 Karma
Reply
Solved! Jump to solution

satyaallaparthi
Communicator
‎03-01-2019 01:45 PM

no result found .. if I am doing table duration.. that means not extracting properly right ?

I got zero result.. please help me with that..

Thanks,
Satya

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-01-2019 02:46 PM

What about this:

 your search
 | rex "startTime\",\"Value\":\"\\\"(?<startTime>[\d\-T:\.Z]*).*?endTime\",\"Value\":\"\\\"(?<endTime>[\d\-T:\.Z]*)"
  |eval start = strptime(startTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
  |eval end = strptime(endTime, "%Y-%m-%dT%H:%M:%S.%3QZ")
  | eval duration = end - start
| table *
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...