Reporting

newbe question about time spent

mpjjonker
Explorer
Good day,
 
I am new to Splunk and just have completed the fundamentals I course.
 
For my first use case I am looking for an example where I can create reports/dashboard on average time spent in our systems.
I have a key (orderid) and multiple systems log events where they provide this orderid as field.
In some systems the process continues after a human has acted. This might take hours or days.
 
I need to display stats like: average time to process an order end to end.
But also the number of orders that have started but have not yet ended.
 
Thanks
 
Can you point me to a sample/documentation that will help me to achieve this ?
Labels (1)
0 Karma
1 Solution

ITWhisperer
Legend

The issue is that the order the events are normally processed (without a sort) is most recent to least recent, so first is actually most recent i.e. latest event so you probably need to name them differently. That's why I said subtract the lower number from the larger number. You could also capture the last host (first found).

| stats first(_time) as end last(_time) as start first(host) as finalhost by orderid
| eval duration=end-start

 

View solution in original post

ITWhisperer
Legend
| stats first(_time) as start last(_time) as end by orderid

How do you know which event is the end of the process?

mpjjonker
Explorer

@ITWhisperer  I think I run into the issue you hinted at when you asked me how do I know the end. I am getting negative durations (meaning end is before start)...

How should I use this host field to tell Splunk that the time for this event is to be considered last (or first depending on the host) ?

0 Karma

ITWhisperer
Legend

The issue is that the order the events are normally processed (without a sort) is most recent to least recent, so first is actually most recent i.e. latest event so you probably need to name them differently. That's why I said subtract the lower number from the larger number. You could also capture the last host (first found).

| stats first(_time) as end last(_time) as start first(host) as finalhost by orderid
| eval duration=end-start

 

View solution in original post

mpjjonker
Explorer

Ok thanks @ITWhisperer I now have a report with 3 columns :

orderid start end

Which command can I best use to subtract start from end ?

The minus sign does not work.

Subtract also not..

A link to the documentation is also welcome .

0 Karma

mpjjonker
Explorer
0 Karma

ITWhisperer
Legend

depending on the ordering of the events you may find that start is a bigger number than end - you need to subtract the smaller number from the larger to get the time difference in seconds

mpjjonker
Explorer

Thanks I will try this out.

The last step of the process is in another system, so I can use the host field (I hope) to now the last _time

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.