Splunk Search

Finding time between two events.

lakromani
Builder

Using transaction I have grouped together events for same users.
There are two types of event.
1. Send SMS to user.
2. Log in with this user.

It looks like this:

Jan 22 11:52:15 172.30.112.1 PORTAL: SMS sent to 91813504.
Jan 22 11:54:11 172.30.112.1 AAA: 172.30.44.246 logged in with username 91813504

Jan 22 11:52:04 172.30.112.1 PORTAL: SMS sent to 91300083.
Jan 22 11:53:36 172.30.112.1 AAA: 172.30.53.83 logged in with username 91300083

Jan 22 11:51:10 172.30.112.1 PORTAL: SMS sent to 41237212.
Jan 22 11:51:50 172.30.112.1 AAA: 172.30.40.116 logged in with username 41237212
Jan 22 12:01:37 172.30.112.1 AAA: 172.30.40.113 logged in with username 41237212

Some user logs inn several times.

I do like to calculate the time from sent SMS to the first log in.
Result I need is some like this:

91813504 00:01:56
91300083 00:01:32
41237212 00:00:40

Then I can graph the duration over time and see if there are some wrong with the SMS sent to the user.
How to do this?

Maybe I do not need it use Transaction, but it gives me a visual view of events that belongs to same user.

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

You are correct about using transaction.. Add this at the end of your search

... | timechart avg(duration)

Duration is a Splunk keyword which will find the difference between the timestamps

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

You are correct about using transaction.. Add this at the end of your search

... | timechart avg(duration)

Duration is a Splunk keyword which will find the difference between the timestamps

lakromani
Builder

Thanks. This was very close to what I need. Problem is where user has logged inn more than once with same username. avg(duration) gives the time between the first and last event. I need the time between first event and second event. Or to be more specific, time between last received SMS and first login after it. A user may request as many SMS he likes, so he can request two SMS and then login using information on last SMS.

0 Karma

lakromani
Builder

Since majority av the users only have one SMS and one login, and the transaction need to contain both, I just use eventcount=2 in search after the transaction. This way I ignore all other and get a correct view. Thanks.

0 Karma

gyarici
Path Finder

Hi,

I would recommend you to use "transaction" command to calculate duration.

transaction startswith="PORTAL: SMS sent to"   endswith="logged in with username" |concurrency duration=duration

Then you can classify the duration by phone numbers and IP address if you need.

Hope it is ok.

Thanks

Gokhan

0 Karma

lakromani
Builder

This does not work since one user may log inn between another user sends SMS and logs inn. transaction startswith="PORTAL: SMS sent to" endswith="logged in with username" This mixes user together.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...