Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I find the response time with an event time and max time of the events

slearntrain
Explorer
‎03-21-2024 09:06 PM

We have a use case where we need to calculate the time difference between the maximum infotime (steptype="endNBflow") and infotime where steptype is "end payload". This particular message has 16 events comprising request and response flows. Request flow ends with "end Payload" and response flow ends with steptype "end NB Flow".

I have the below query:

index="xyz" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd-35tr-6s9i4ewlp6h3"
| rex field=_raw "\"APPID\"\:\s\"(?<appid>.*?)\""
| rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\""
| rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\""
| rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" | sort infotime
| table appid,flowname, steptype, infotime

How can I retrieve the value what I am looking for. Any guidance here would be much appreciated.

 

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

slearntrain
Explorer
‎03-25-2024 08:58 PM

Alright!!! I found the answer to this question- Modified the below query by changing the time formats of the new fields and then pulling out the difference --

index="abc" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd*"
| rex field=_raw "\"Application-ID\"\:\s\"(?<appid>.*?)\""
| rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\""
| rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\""
| rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" |stats latest(eval(if(steptype="EndNBflow",max(infotime),0))) AS endNBflow , latest(eval(if(steptype="Deserialized payload",infotime,0))) AS endPayLoad , count(eval(match(_raw,"error"))) as error_count, dc(steptype) as unique_steptypes BY appid|where unique_steptypes >= 16 AND error_count=0|eval endNBflowtime=strptime(endNBflow, "%Y-%m-%d %H:%M:%S,%3N")
| eval endPayLoadtime=strptime(endPayLoad, "%Y-%m-%d %H:%M:%S,%3N")
| eval time_difference = endNBflowtime - endPayLoadtime
| table appid,endNBflow,endPayLoad, endNBflowtime, endPayLoadtime, time_difference

 

Results are like this :

Appid

endNBflow

Endpayload

endNBflowtime

Endpayloadtime

responsetime

Abcd1

2024-03-04 16:10:50,007

2024-03-04 16:10:49,886

1709529050.007000

1709529049.886000

0.121000

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-21-2024 10:29 PM

Hi @slearntrain,

you have to use stats instead table:

index="xyz" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd-35tr-6s9i4ewlp6h3"
| rex field=_raw "\"APPID\"\:\s\"(?<appid>.*?)\""
| rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\""
| rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\""
| rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" 
| stats
   latest(eval(if(steptype="endNBflow"))) AS endNBflow
   latest(eval(if(steptype="end payload"))) AS endPayload
   BY appid flowname
| eval diff=endPayload-endNBflow

Ciao.

Giuseppe

Reply
Solved! Jump to solution

slearntrain
Explorer
‎03-24-2024 04:43 PM

Hi gcusello, 

Thank you for responding. unfortunately, I didn't quite get what I was looking for. Initially, when I ran your query, I got the error that if command does not meet the requirement. So I had to add the true/false parameters.

As I am looking for infotime for each of the steptypes, I added in the true section. -- "latest(eval(if(steptype="endNBflow", infotime,0)))"

Now, I need to find the "diff" (responseTime) in the table equivalent to the appid as that is the response time for the message.

I have modified your query based on the time formats that I want:

 

index="xyz" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd-35tr-6s9i4ewlp6h3"
| rex field=_raw "\"APPID\"\:\s\"(?<appid>.*?)\""
| rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\""
| rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\""
| rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" 
| stats
   latest(eval(if(steptype="endNBflow", infotime,0))) AS endNBflow
   latest(eval(if(steptype="end payload",max(infotime),0))) AS endPayload
   BY appid flowname|eval endNBflowtime=strptime(endNBflow,"%Y-%m-%d %H:%M:%S,%3N")| eval endPayLoadtime=strptime(endPayLoad,"%Y-%m-%d %H:%M:%S,%3N")|eval diff=endpayloadtime-endNBflowtime|eval responseTime=strftime(diff,"%Y-%m-%d %H:%M:%S,%3N")

But now how to bring the response time in the table format corresponding to the appid?

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-24-2024 10:33 PM

Hi @slearntrain,

yes, sorry: I forgot the second part of the if statements, but now it's correct.

what's the format you would for the results?

With this earch you have in the same row:

  • appid
  • flowname
  • endNBflow
  • endPayload
  • diff

if you want to have in different rows endNBflow and endPayload, where do you want to put the difference?

Could you indicate how would you have the results?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

slearntrain
Explorer
‎03-25-2024 06:23 PM

Hi Giuseppe,

I want to view the results in the below format. I also want the diff time in human readable format like 10sec, 15 mins etc.

Appid

Responsetime(Diff)

In my usecase- I have more that 5000 messages, each successful message has 16 steptypes, so I have put the query in this way.-

index="abc" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd*"
| rex field=_raw "\"Application-ID\"\:\s\"(?<appid>.*?)\""
| rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\""
| rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\""
| rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" |stats latest(eval(if(steptype="EndNBflow",max(infotime),0))) AS endNBflow latest(eval(if(steptype="Deserialized payload",infotime,0))) AS endPayLoad dc(steptype) as unique_steptypes by appid|where unique_steptypes >= 16 |eval diff=endNBflow-endPayLoad

 

My earlier code included- 

| rex field=_raw "INFO  ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))"

| stats max(infotime) as maxinfotime, min(infotime) as mininfotime,count(eval(match(_raw, "error"))) as error_count, dc(steptype) as unique_steptypes by appid

| where error_count = 0

| eval maxtime=strptime(maxinfotime,"%Y-%m-%d %H:%M:%S,%3N") | eval mintime=strptime(mininfotime,"%Y-%m-%d %H:%M:%S,%3N") |  eval TimeDiff=maxtime-mintime | eval TimeDiff_formated = strftime(TimeDiff,"%H:%M:%S,%3N")| where unique_steptypes >= 16|sort steptype

| table appid, mininfotime, maxinfotime, mintime, maxtime, TimeDiff_formated, unique_steptypes, flowname

I am unable to club these two and get the expected output. 

0 Karma
Reply
Solved! Jump to solution
Solution

slearntrain
Explorer
‎03-25-2024 08:58 PM

Alright!!! I found the answer to this question- Modified the below query by changing the time formats of the new fields and then pulling out the difference --

index="abc" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd*"
| rex field=_raw "\"Application-ID\"\:\s\"(?<appid>.*?)\""
| rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\""
| rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\""
| rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" |stats latest(eval(if(steptype="EndNBflow",max(infotime),0))) AS endNBflow , latest(eval(if(steptype="Deserialized payload",infotime,0))) AS endPayLoad , count(eval(match(_raw,"error"))) as error_count, dc(steptype) as unique_steptypes BY appid|where unique_steptypes >= 16 AND error_count=0|eval endNBflowtime=strptime(endNBflow, "%Y-%m-%d %H:%M:%S,%3N")
| eval endPayLoadtime=strptime(endPayLoad, "%Y-%m-%d %H:%M:%S,%3N")
| eval time_difference = endNBflowtime - endPayLoadtime
| table appid,endNBflow,endPayLoad, endNBflowtime, endPayLoadtime, time_difference

 

Results are like this :

Appid

endNBflow

Endpayload

endNBflowtime

Endpayloadtime

responsetime

Abcd1

2024-03-04 16:10:50,007

2024-03-04 16:10:49,886

1709529050.007000

1709529049.886000

0.121000
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-25-2024 11:37 PM

Hi @slearntrain ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...