Splunk Search

Finding time between two events.

Builder

Using transaction I have grouped together events for same users.
There are two types of event.
1. Send SMS to user.
2. Log in with this user.

It looks like this:

Jan 22 11:52:15 172.30.112.1 PORTAL: SMS sent to 91813504.
Jan 22 11:54:11 172.30.112.1 AAA: 172.30.44.246 logged in with username 91813504

Jan 22 11:52:04 172.30.112.1 PORTAL: SMS sent to 91300083.
Jan 22 11:53:36 172.30.112.1 AAA: 172.30.53.83 logged in with username 91300083

Jan 22 11:51:10 172.30.112.1 PORTAL: SMS sent to 41237212.
Jan 22 11:51:50 172.30.112.1 AAA: 172.30.40.116 logged in with username 41237212
Jan 22 12:01:37 172.30.112.1 AAA: 172.30.40.113 logged in with username 41237212

Some user logs inn several times.

I do like to calculate the time from sent SMS to the first log in.
Result I need is some like this:

91813504 00:01:56
91300083 00:01:32
41237212 00:00:40

Then I can graph the duration over time and see if there are some wrong with the SMS sent to the user.
How to do this?

Maybe I do not need it use Transaction, but it gives me a visual view of events that belongs to same user.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You are correct about using transaction.. Add this at the end of your search

... | timechart avg(duration)

Duration is a Splunk keyword which will find the difference between the timestamps

View solution in original post

SplunkTrust
SplunkTrust

You are correct about using transaction.. Add this at the end of your search

... | timechart avg(duration)

Duration is a Splunk keyword which will find the difference between the timestamps

View solution in original post

Builder

Thanks. This was very close to what I need. Problem is where user has logged inn more than once with same username. avg(duration) gives the time between the first and last event. I need the time between first event and second event. Or to be more specific, time between last received SMS and first login after it. A user may request as many SMS he likes, so he can request two SMS and then login using information on last SMS.

0 Karma

Builder

Since majority av the users only have one SMS and one login, and the transaction need to contain both, I just use eventcount=2 in search after the transaction. This way I ignore all other and get a correct view. Thanks.

0 Karma

Path Finder

Hi,

I would recommend you to use "transaction" command to calculate duration.

transaction startswith="PORTAL: SMS sent to"   endswith="logged in with username" |concurrency duration=duration

Then you can classify the duration by phone numbers and IP address if you need.

Hope it is ok.

Thanks

Gokhan

0 Karma

Builder

This does not work since one user may log inn between another user sends SMS and logs inn. transaction startswith="PORTAL: SMS sent to" endswith="logged in with username" This mixes user together.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!