Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I group 2 events based on a unique field and extract time of the duration between them?

farhanzakaria
New Member
‎12-18-2018 03:13 AM

My application always relies on backend service which we are using SOAP. Every successful SOAP call will always have 2 events — request and response. Both events will have one similar field with the same value which is technical id and this is unique to each call.

Request:

2018-12-18 10:46:03,987 {uid=aaa@bb.com, techid=1074979098911391744, sid=9999} - Outbound Message - BackendOne

Response:
2018-12-18 10:46:04,549 {uid=aaa@bb.com, techid=1074979098911391744, sid=9999} - Inbound Message - BackendOne

So based on these results, I'm supposed to extract duration required by each backend services which took more than 1000 ms to complete.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-18-2018 05:08 AM

@farhanzakaria,

There are few different ways to get this.

"your search" |stats count,earliest(_time) as start,latest(_time) as end by techid|eval duration=end-start|where duration >1 AND count>1

Using Transaction

    "your search"|transaction techid startswith="Outbound Message" endswith="Inbound Message"|where duration>1
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-18-2018 05:08 AM

@farhanzakaria,

There are few different ways to get this.

"your search" |stats count,earliest(_time) as start,latest(_time) as end by techid|eval duration=end-start|where duration >1 AND count>1

Using Transaction

    "your search"|transaction techid startswith="Outbound Message" endswith="Inbound Message"|where duration>1
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

farhanzakaria
New Member
‎12-18-2018 08:10 PM

Thank you! The first answer would be the best as transaction would be really costly for my instance.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...