Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I calculate the Average time usage per day when using Transaction and Bin?

maria2691
Path Finder
‎01-17-2018 07:36 AM

Hello Everyone

I have 2 source types ProcessStart and ProcessEnd.
The common field with which I need to find out the duration of runtime is RunID.
My requirement is to find out the total time the processes are running in a particular host and show their average usage time per day.
Below is my Query:

 sourcetype=ProcessStart OR sourcetype=ProcessEnd 
 | transaction RunID 
 | bin _time span=1d 
 | stats sum(duration) AS Duration by _time host 
 | stats avg(Duration) as "Average Usage" by host 
 | eval "Average Usage"=round(('Average Usage'/3600),2) 
 | rename host as "Virtual Machine" 
 | sort- "Average Usage"

I have used Transaction on RunID and used bin command to segregate them day wise. I am able to get the final result by not by day wise. For eg: It should be below 24 hours even if I am checking the events for 100 days since the output is required to showing the total day wise average.

How do I make the final Average usage by host field to calculate the whole duration and divide them by number of days?

I used days=round(now()-_time) and tried to divide Average Usage/days and it doesn't work.

Also I have a performance issue when running this Query, it is very slow. What would be the reason and how can I rectify it?

Thanks & Regards
Maria Arokiaraj

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-17-2018 08:27 AM

I believe you should be using stats command instead of transaction command (very expensive command) to mitigate your performance issue.

sourcetype=ProcessStart OR sourcetype=ProcessEnd 
  | eval start=if(sourcetype="ProcessStart",_time,null())
  | eval end=if(sourcetype="ProcessEnd",_time,null())
  | stats values(start) as _time values(end) as end by host RunID
  | eval duration=end-_time | bucket span=1d _time
  | stats avg(duration) AS Duration by _time host 
  | stats avg(Duration) as "Average Usage" by host 
  | eval "Average Usage"=round(('Average Usage'/3600),2) 
  | rename host as "Virtual Machine" 
  | sort- "Average Usage"

Also try this

sourcetype=ProcessStart OR sourcetype=ProcessEnd 
  | eval start=if(sourcetype="ProcessStart",_time,null())
  | eval end=if(sourcetype="ProcessEnd",_time,null())
  | stats values(start) as _time values(end) as end by host RunID
  | eval duration=end-_time | bucket span=1d _time
  | stats sum(duration) AS Duration by _time host 
  | stats sum(Duration) as "Average Usage" dc(_time) as days by host 
  | eval "Average Usage"=round(('Average Usage'/days/3600),2) 
  | rename host as "Virtual Machine" 
  | sort- "Average Usage"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-17-2018 08:27 AM

I believe you should be using stats command instead of transaction command (very expensive command) to mitigate your performance issue.

sourcetype=ProcessStart OR sourcetype=ProcessEnd 
  | eval start=if(sourcetype="ProcessStart",_time,null())
  | eval end=if(sourcetype="ProcessEnd",_time,null())
  | stats values(start) as _time values(end) as end by host RunID
  | eval duration=end-_time | bucket span=1d _time
  | stats avg(duration) AS Duration by _time host 
  | stats avg(Duration) as "Average Usage" by host 
  | eval "Average Usage"=round(('Average Usage'/3600),2) 
  | rename host as "Virtual Machine" 
  | sort- "Average Usage"

Also try this

sourcetype=ProcessStart OR sourcetype=ProcessEnd 
  | eval start=if(sourcetype="ProcessStart",_time,null())
  | eval end=if(sourcetype="ProcessEnd",_time,null())
  | stats values(start) as _time values(end) as end by host RunID
  | eval duration=end-_time | bucket span=1d _time
  | stats sum(duration) AS Duration by _time host 
  | stats sum(Duration) as "Average Usage" dc(_time) as days by host 
  | eval "Average Usage"=round(('Average Usage'/days/3600),2) 
  | rename host as "Virtual Machine" 
  | sort- "Average Usage"
Reply
Solved! Jump to solution

maria2691
Path Finder
‎01-17-2018 08:44 AM

Hello @somesoni2

I am able to get the result very quickly with these Queries, Thanks.
I would like to understand how the duration is calculated here.
When I used Transaction, I was able to get the duration by it's total running time (calculated between 2 events).
There are 2 fields RobotStart and RobotEnd in these events, if we use that, it would be perfect I suppose. They have time values that looks like "01/17/2018 16:42:07". Can we use these to get the exact results?

Thanks

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-17-2018 08:59 AM

With above queries, I'm using _time field of the events from sourcetype=ProcessStart and sourcetype=ProcessEnd to calculate the difference (The stats on line 4 gets both epoch timestamp values for each RunID and line 5 calculates it). If you want to use timestamp values other that _time, then you need to update line 2 and 3 to use those fields instead of _time. E.g. (only showing line 2 and 3)

| eval start=if(sourcetype="ProcessStart",strptime(RobotStart,"%m/%d/%Y %H:%M:%S"),null())
   | eval end=if(sourcetype="ProcessEnd",strptime(RobotEnd,"%m/%d/%Y %H:%M:%S"),null())
0 Karma
Reply
Solved! Jump to solution

maria2691
Path Finder
‎02-06-2018 08:10 AM

Hello @somesoni2

I have a problem with days calculation in the above solution shared by you.
The number of days return for some hosts so dramatically high. When I am checking the events for last 1 year, the max number of days should be 365 since we are calculating the dc(_time), however the results are like 18000 for some. How would it be possible, I am trying in different ways to correct it without any success. Can you help?

Thanks
Maria Arokiaraj

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-06-2018 08:28 AM

In above query, there will be a row for each runId with different start time. What's the query you're trying?

0 Karma
Reply
Solved! Jump to solution

maria2691
Path Finder
‎02-06-2018 08:31 AM

I am trying with the same query, however the issue persists @somesoni2 😞
sourcetype=ProcessStart OR sourcetype=ProcessEnd
| eval start=if(sourcetype="ProcessStart",_time,null())
| eval end=if(sourcetype="ProcessEnd",_time,null())
| stats values(start) as _time values(end) as end by host RunID
| eval duration=end-_time | bucket span=1d _time
| stats sum(duration) AS Duration by _time host
| stats sum(Duration) as "Average Usage" dc(_time) as days by host
| eval "Average Usage"=round(('Average Usage'/days/3600),2)
| rename host as "Virtual Machine"
| sort- "Average Usage"

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-06-2018 09:04 AM

So you're saying if you run following, you get ~18000 for value in column days?

sourcetype=ProcessStart OR sourcetype=ProcessEnd 
   | eval start=if(sourcetype="ProcessStart",_time,null())
   | eval end=if(sourcetype="ProcessEnd",_time,null())
   | stats values(start) as _time values(end) as end by host RunID
   | eval duration=end-_time | bucket span=1d _time
   | stats sum(duration) AS Duration by _time host 
   | stats sum(Duration) as "Average Usage" dc(_time) as days by host

In line 4, try to replace the values( function with max( for both start and end.

0 Karma
Reply
Solved! Jump to solution

maria2691
Path Finder
‎02-06-2018 09:17 AM

Thanks @somesoni2. This worked 🙂 Now all the lines are around 200 days as expected.
Thanks again for your help!

0 Karma
Reply
Solved! Jump to solution

maria2691
Path Finder
‎01-17-2018 09:38 AM

Thanks a lot @somesoni2... It works with both the ones.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-17-2018 08:08 AM

Do all those runID run everyday??

0 Karma
Reply
Solved! Jump to solution

maria2691
Path Finder
‎01-17-2018 08:19 AM

Hello @somesoni2

RunIDs are created every time there is a new task on the host. The ones which already exist, does not get updated.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...