Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Correlate data

bsteph
Explorer
‎08-16-2012 06:19 PM

Is it possible to correlate data to come up with a transaction time given this scenario? I want to calculate and chart the transaction time between a recv record and a send record identified by the last field below. For example the transaction time between 20120807 18:36:05 recv 9896A065210R04 and 20120807 18:36:19 send ACK 9896A065210R04 would be 14 seconds.

20120807 18:36:05 recv 9896A065210R04
20120807 18:36:05 recv 2910A005512372
20120807 18:36:05 recv 9795A019041S68
20120807 18:36:05 recv 9218A023441377
20120807 18:36:05 recv 6179A004360374
20120807 18:36:05 recv 2076A001701R48
20120807 18:36:05 recv 2076A001610R48
20120807 18:36:15 send ACK 5818A04030131X
20120807 18:36:15 send ACK 8320A0014JO000
20120807 18:36:15 send ACK 6716A014641303
20120807 18:36:16 send ACK 2887A06962V21F
20120807 18:36:19 send ACK 8320A001609000
20120807 18:36:19 send ACK 9896A065210R04
20120807 18:36:23 send ACK 2910A005512372
20120807 18:36:23 send ACK A0032436007492
20120807 18:36:23 send ACK 9218A023441377
20120807 18:36:23 send ACK 9795A019041S68
20120807 18:36:26 send ACK 2076A001701R48
20120807 18:36:27 send ACK 2076A001610R48
20120807 18:36:27 send ACK 6866A039301R02
20120807 18:36:27 send ACK 6179A004360374

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎08-16-2012 06:50 PM

The transaction command will give you this duration.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction

Assuming you had field called id for 20120807, it would look like this:

| transaction id

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎08-16-2012 06:50 PM

The transaction command will give you this duration.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction

Assuming you had field called id for 20120807, it would look like this:

| transaction id

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...