Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Find the Difference between Timestamps

skoelpin
SplunkTrust
SplunkTrust
‎01-02-2015 07:31 AM

In Splunk I'm tracking web service calls which have a request/response pairs. So for example we have a Get Delivery Schedule web service which has a SOAP request and response. We have a unique identifier (GUID) tied to the request response pairs which match each other. I want to find the time from when the request was made to the time there was a response. So I was thinking of making a new field which would take the difference between the response timestamp and the request time stamp and applying it to the request event. So then I could search for all the requests by using the GUID and have that response time tied to each request. I then wanted to grab all the response times and export it to Excel so I can do an analysis.

Any idea how I could do this?

Tags (1)
0 Karma
Reply

chanfoli
Builder
‎01-02-2015 10:47 AM

Have a look at the transaction command. If your search returns requests and responses with an identifier, all you usually need to do is add something like "| transaction GUIDFIELDNAME"

Depending on things such as maximum expected request time and if request and response events have identifiers you could make it more reliable by using additional options like maxspan, startswith, and endswith.

This command will add some fields to your results, one of which is duration in seconds, and this sounds like what you are after.

See: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/transaction

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...