Reporting

newbe question about time spent

mpjjonker
Explorer
Good day,
 
I am new to Splunk and just have completed the fundamentals I course.
 
For my first use case I am looking for an example where I can create reports/dashboard on average time spent in our systems.
I have a key (orderid) and multiple systems log events where they provide this orderid as field.
In some systems the process continues after a human has acted. This might take hours or days.
 
I need to display stats like: average time to process an order end to end.
But also the number of orders that have started but have not yet ended.
 
Thanks
 
Can you point me to a sample/documentation that will help me to achieve this ?
Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The issue is that the order the events are normally processed (without a sort) is most recent to least recent, so first is actually most recent i.e. latest event so you probably need to name them differently. That's why I said subtract the lower number from the larger number. You could also capture the last host (first found).

| stats first(_time) as end last(_time) as start first(host) as finalhost by orderid
| eval duration=end-start

 

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| stats first(_time) as start last(_time) as end by orderid

How do you know which event is the end of the process?

mpjjonker
Explorer

@ITWhisperer  I think I run into the issue you hinted at when you asked me how do I know the end. I am getting negative durations (meaning end is before start)...

How should I use this host field to tell Splunk that the time for this event is to be considered last (or first depending on the host) ?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The issue is that the order the events are normally processed (without a sort) is most recent to least recent, so first is actually most recent i.e. latest event so you probably need to name them differently. That's why I said subtract the lower number from the larger number. You could also capture the last host (first found).

| stats first(_time) as end last(_time) as start first(host) as finalhost by orderid
| eval duration=end-start

 

mpjjonker
Explorer

Ok thanks @ITWhisperer I now have a report with 3 columns :

orderid start end

Which command can I best use to subtract start from end ?

The minus sign does not work.

Subtract also not..

A link to the documentation is also welcome .

0 Karma

mpjjonker
Explorer
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

depending on the ordering of the events you may find that start is a bigger number than end - you need to subtract the smaller number from the larger to get the time difference in seconds

mpjjonker
Explorer

Thanks I will try this out.

The last step of the process is in another system, so I can use the host field (I hope) to now the last _time

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...