Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duration, Average , max, min response Time

BT
Path Finder
‎05-05-2022 05:45 AM

2 events : request and response and unique id which binds this transaction.

I have  issue where i have to calculate the total duration between request and response and average , max and min response time from all the transaction triggered per day/per hour. the below query works in extracting request and response but duration is not being calculated, or displayed  when i run the query :

search query |  stats earliest(dateTime) AS request latest(dateTime) AS response BY TransactionID | eval duration=response- request

 

result for above query :

TransactionID                                                                          Request                                              Response

000877d43ef8778123243454bda780c5e5     2022-05-05 01:36:12.916      2022-05-05 01:36:13.27

Please help in writing query for calculating duration and avg, max,min response time for all the transaction happened in a day

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2022 06:27 AM

Set the time frame for the search to be the day in question - this could be relative e.g. yesterday

search query
| eval dateTime=strptime(dateTime,"%F %T.%3N")
| stats earliest(dateTime) AS request latest(dateTime) AS response BY TransactionID 
| eval duration=response-request
| stats avg(duration) as average min(duration) as minimum max(duration) as maximum

Depending on what you already have in your events, you may find that the _time field already holds the dateTime in epoch format so this could be simplified to

search query
| stats earliest(_time) AS request latest(_time) AS response BY TransactionID 
| eval duration=response-request
| stats avg(duration) as average min(duration) as minimum max(duration) as maximum

There is a "hidden" problem with this whereby if the transaction "starts" on the previous day or finishes on the "next" day, you may find that the earliest event in the search for the TransactionID is the only event returned by the search and is therefore the same as the latest, so the duration by this calculation will be zero.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2022 05:51 AM

Given that the Request and Response times are shown as strings, I suspect you need to parse them into epoch times with strptime() before doing any calculation on the values.

0 Karma
Reply
Solved! Jump to solution

BT
Path Finder
‎05-05-2022 06:10 AM

i am new to splunk, can you please provide the query to do so also to calculate duration = response-request , avg, max, min response time.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2022 06:27 AM

Set the time frame for the search to be the day in question - this could be relative e.g. yesterday

search query
| eval dateTime=strptime(dateTime,"%F %T.%3N")
| stats earliest(dateTime) AS request latest(dateTime) AS response BY TransactionID 
| eval duration=response-request
| stats avg(duration) as average min(duration) as minimum max(duration) as maximum

Depending on what you already have in your events, you may find that the _time field already holds the dateTime in epoch format so this could be simplified to

search query
| stats earliest(_time) AS request latest(_time) AS response BY TransactionID 
| eval duration=response-request
| stats avg(duration) as average min(duration) as minimum max(duration) as maximum

There is a "hidden" problem with this whereby if the transaction "starts" on the previous day or finishes on the "next" day, you may find that the earliest event in the search for the TransactionID is the only event returned by the search and is therefore the same as the latest, so the duration by this calculation will be zero.

Reply
Solved! Jump to solution

BT
Path Finder
‎05-06-2022 01:23 AM

Thank you.. This works !!!! just another doubt.. the result avg , max, min are in seconds or miliseconds ?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-06-2022 01:33 AM

Seconds - epoch times are in seconds although they can have decimal places for sub-second values

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...