Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I group 2 events based on a unique field an...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
farhanzakaria
New Member
12-18-2018
03:13 AM
My application always relies on backend service which we are using SOAP. Every successful SOAP call will always have 2 events — request and response. Both events will have one similar field with the same value which is technical id and this is unique to each call.
Request:
2018-12-18 10:46:03,987 {uid=aaa@bb.com, techid=1074979098911391744, sid=9999} - Outbound Message - BackendOne
Response:
2018-12-18 10:46:04,549 {uid=aaa@bb.com, techid=1074979098911391744, sid=9999} - Inbound Message - BackendOne
So based on these results, I'm supposed to extract duration required by each backend services which took more than 1000 ms to complete.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-18-2018
05:08 AM
@farhanzakaria,
There are few different ways to get this.
"your search" |stats count,earliest(_time) as start,latest(_time) as end by techid|eval duration=end-start|where duration >1 AND count>1
Using Transaction
"your search"|transaction techid startswith="Outbound Message" endswith="Inbound Message"|where duration>1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-18-2018
05:08 AM
@farhanzakaria,
There are few different ways to get this.
"your search" |stats count,earliest(_time) as start,latest(_time) as end by techid|eval duration=end-start|where duration >1 AND count>1
Using Transaction
"your search"|transaction techid startswith="Outbound Message" endswith="Inbound Message"|where duration>1
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
farhanzakaria
New Member
12-18-2018
08:10 PM
Thank you! The first answer would be the best as transaction would be really costly for my instance.
Get Updates on the Splunk Community!
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...
New Release | Splunk Cloud Platform 10.1.2507
Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
🗣 You Spoke, We Listened
Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.
In ...
