Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

calculate time difference between starting and completing a task

atreece
Path Finder
‎12-20-2011 06:27 AM

I have a database that stores a separate event every time someone starts or stops a task. This should be a simple task, but I cant seem to figure out how to go about the calculation. There are three things I need to account for: accepting the task, abandoning the task, and completing the task. I only want to calculate the time it takes between each user's accepting a task and completing it. If they abandoned it, then I don't want splunk to calculate the time

This is working off of timestamps and the fields user_name and action

action=0 for accepting

action=1 for completing

action=2 for abandoning

Any suggestions as to how I would go about this calculation?

EDIT: My supervisors loved it, but now they want me to cut out times when the users are not logged in. I asked around, and got a nice addition to the logs: total_login_time, which, as it's so simply named, is a simple record, in milliseconds, of how long the users have been logged in to the site. Can I still use transaction? Or do I need to change it entirely?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎12-20-2011 06:56 AM

+1 on using transaction, but using action as the correlating field won't work as it is changing within the session. user_name seems more appropriate. Also perhaps specify the conditions a bit more so that it's the actual action field that is checked for the values 0 and 2:

... | transaction user_name startswith=eval(action=0) endswith=eval(action=2)

View solution in original post

Reply
Solved! Jump to solution

Splunkster45
Communicator
‎10-13-2014 09:28 AM

This is exactly what I was looking for!

0 Karma
Reply
Solved! Jump to solution

tgow
Splunk Employee
Splunk Employee
‎12-20-2011 07:15 AM

Great Stuff Ayn. Thanks. Give the points to Ayn!

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎12-20-2011 06:56 AM

+1 on using transaction, but using action as the correlating field won't work as it is changing within the session. user_name seems more appropriate. Also perhaps specify the conditions a bit more so that it's the actual action field that is checked for the values 0 and 2:

... | transaction user_name startswith=eval(action=0) endswith=eval(action=2)
Reply
Solved! Jump to solution

atreece
Path Finder
‎12-20-2011 07:58 AM

Yes, I did have to change it around a bit. The resulting search string looks a bit like this:

index=task_data task="*" NOT action="2" | transaction user_name startswith="action=0" endswith="action=1" maxevents="2" | where duation>0 | stats count by duration, task_name | fields task_name, duration |sort -duration |rename task_name AS "Task Name"

and it's giving me fairly nice results.

on an unrelated note, I love your picture. That game was really fun.

0 Karma
Reply
Solved! Jump to solution

tgow
Splunk Employee
Splunk Employee
‎12-20-2011 06:38 AM

I would recommend that you take a look at the "transaction" command. It has a built in field called "duration". Here is an example of how to use it. 

source="your data" | transaction action beginswith="0" endswith="2"

You might need to experiment with the maxspan and maxpause as well.

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/4.2.5/SearchReference/Transaction

Reply
Solved! Jump to solution

atreece
Path Finder
‎12-20-2011 07:37 AM

That's giving me some very nice results!
Thank you!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...