Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding duration, average time, maximum time for specific logs

pushpender07
Explorer
‎04-19-2018 09:48 PM

The logging that we do is not perfect hence need some help.

Log 1 (request) - {"date":"19-04-2018 21:40:11,221", "transactionId":"123", "className":"Class1", "methodName":"login", "elapsedTime":"2284896391"}
Log 2 (response)- {"date":"19-04-2018 21:40:11,253", "transactionId":"123", "className":"Class1", "methodName":"login", "elapsedTime":"2317835633"}

Log 1 is the request, Log 2 is the response. I want to find the duration of each login service request/ response. Transaction id is same in both cases so could be used as a unique value. Not sure what elapsedTime represents.

Any help would be highly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-22-2018 02:01 PM

Like this:

Your Base Search | stats range(_time) AS duration BY transactionId

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-22-2018 02:01 PM

Like this:

Your Base Search | stats range(_time) AS duration BY transactionId
0 Karma
Reply
Solved! Jump to solution

pushpender07
Explorer
‎04-23-2018 03:17 PM

Thanks for the help

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-23-2018 05:08 PM

You might also like to add:

| eval duration=tostring(duration, "duration")
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎04-20-2018 12:24 AM

Try this:

| eval date=strptime(date,"%d-%m-%Y %H:%M:%S,%3N")
| stats min(date) AS start, max(date) AS max_date BY transactionId
| eval duration=max_date-min_date

0 Karma
Reply
Solved! Jump to solution

pushpender07
Explorer
‎04-20-2018 09:16 AM

This created transactionId, start, and max_date. It doesn't show the duration though. This is helpful though, I will try to take it from here.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-19-2018 10:06 PM

Try something like:

| transaction transactionId

it will create duration field.

0 Karma
Reply
Solved! Jump to solution

pushpender07
Explorer
‎04-20-2018 09:14 AM

Thanks, this helped

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...