Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculate durations within a transaction

Jeremiah
Motivator
‎08-31-2012 01:41 PM

I have a transaction that crosses multiple applications. I have a eventguid that I use with the transaction command to calculate the duration of the transaction. But now, I need to be able to calculate the durations within each of the applications as well, and build a table with that information. For example:

Event1 app=1 eventguid=123 some message text
Event2 app=1 eventguid=123 some more text
Event3 app=2 eventguid=123 other stuff
Event4 app=2 eventguid=123 more stuff

and so on..

And then the output would look something like this, or similar:

EventGUID app1_duration app2_duration total_duration
123       10            20            30
456       15            7             22

I've thought about first creating transactions based on the app and the eventguid, which would allow me to calculate the individual durations within each app, then do something like | stats sum(duration) by EventGUID which would give me the total. Any other thoughts?

Reply

jonuwz
Influencer
‎08-31-2012 03:26 PM

Given this input :

_time,app,eventguid,text
1346449414,1,123,some more text
1346449424,1,456,other stuff
1346449434,2,123,some more text
1346449436,2,456,other stuff
1346449436,3,123,some more text
1346449439,3,456,other stuff

This 

 | inputlookup example.csv 
 | streamstats global=f current=f window=1 first(_time) as ptime first(app) as papp by eventguid 
 | where isnotnull(ptime) 
 | eval dur=_time-ptime 
 | eval papp="app".papp."_duration"
 | chart first(dur) over eventguid by papp

Produces this 

eventguid   app1_duration   app2_duration
123         20                 2
456         12                 3

I'm making a few assumtions

  1. you have to use the time of the event to workout the duration as the transaction moves through the apps.
  2. The event is logged when the transaction hits the app, not when it leaves

In this case, you can only work out 2 durations if there's 3 apps, and the time between the events for app1 and app2 is the duration spent in app1

Adding totals is simple (or at least it is if your eventguid isn't numeric !)

Just add

| addtotals

or if your eventguids really are numeric

| eval eventguid=" ".eventguid | addtotals | eval eventguid=ltrim(eventguid)
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...