Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to track delay of event on a day to day basis?

dl70
Loves-to-Learn
‎01-27-2021 10:22 PM

Hi!

I currently have a csv file which shows the expected time my daily reports should be sent out.

I also have a search which displays the time the report is actually sent and have created a field called "Delay" which shows the difference between the expected time and actual time.

My issue is, if I wish to search events on a range e.g. for the past week and find their delay for each day: if i have a report that wasn't sent out on Monday as expected, but instead was delayed to Tuesday, the "Delay" value is only comparing to an expected time rather than an expected time and date, hence the delay is 0.

dl70_0-1611814817657.png

i.e reports on the 2nd and 3rd of January were delayed till 4th of January. Yet as they were sent at a time before the expected time, the delay shows 0, rather than the correct value of over a day.

Any ideas?

Thanks in advance

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-27-2021 10:46 PM

@dl70 

Please show the query where you are calculating DELAY

There is nothing in your example chart that shows anything to do with 2nd and 3rd Jan

 

0 Karma
Reply

dl70
Loves-to-Learn
‎01-27-2021 11:01 PM

Hi,

dl70_0-1611817018621.png

Here is the query to calculate delay. endtime3 refers to the actual sent time of report.

DELAY_MIN refers to the delay in minutes.

The reports are expected to be sent on a daily basis. Thus in the chart I provided, i have selected the timepicker for Jan 2nd - Jan 7th.  The daily reports meant to be sent on 2nd and 3rd were delayed until the 4th of January. Which is why there are 3 reports sent on the 4th. 

My aim is to reflect this delay of over one day.

Thanks in advance!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-28-2021 01:41 PM

Thanks for posting that. So, the question is, how can you derive from the data that the report that was supposed to be sent on the 2nd was not sent until the 4th?

Unless you have the expected DATE, as opposed to TIME, then you can't determine the delay for the report. There's nothing in your example data that shows if this data is available.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...