Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to track delay of event on a day to day basis?

dl70
Loves-to-Learn
‎01-27-2021 10:22 PM

Hi!

I currently have a csv file which shows the expected time my daily reports should be sent out.

I also have a search which displays the time the report is actually sent and have created a field called "Delay" which shows the difference between the expected time and actual time.

My issue is, if I wish to search events on a range e.g. for the past week and find their delay for each day: if i have a report that wasn't sent out on Monday as expected, but instead was delayed to Tuesday, the "Delay" value is only comparing to an expected time rather than an expected time and date, hence the delay is 0.

dl70_0-1611814817657.png

i.e reports on the 2nd and 3rd of January were delayed till 4th of January. Yet as they were sent at a time before the expected time, the delay shows 0, rather than the correct value of over a day.

Any ideas?

Thanks in advance

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-27-2021 10:46 PM

@dl70 

Please show the query where you are calculating DELAY

There is nothing in your example chart that shows anything to do with 2nd and 3rd Jan

 

0 Karma
Reply

dl70
Loves-to-Learn
‎01-27-2021 11:01 PM

Hi,

dl70_0-1611817018621.png

Here is the query to calculate delay. endtime3 refers to the actual sent time of report.

DELAY_MIN refers to the delay in minutes.

The reports are expected to be sent on a daily basis. Thus in the chart I provided, i have selected the timepicker for Jan 2nd - Jan 7th.  The daily reports meant to be sent on 2nd and 3rd were delayed until the 4th of January. Which is why there are 3 reports sent on the 4th. 

My aim is to reflect this delay of over one day.

Thanks in advance!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-28-2021 01:41 PM

Thanks for posting that. So, the question is, how can you derive from the data that the report that was supposed to be sent on the 2nd was not sent until the 4th?

Unless you have the expected DATE, as opposed to TIME, then you can't determine the delay for the report. There's nothing in your example data that shows if this data is available.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...