How do you find the time difference for fields wit...

venkatrajan04 · ‎02-04-2019

CorrelationID=1==, CaseID=2 endProcess=SubmitInfo , 2019-02-02 11:02:06,130
CorrelationID=1==, CaseID=2 STartProcess=SubmitInfo , 2019-02-02 11:02:05,130
CorrelationID=1==, CaseID=2 EndProcess=ReviewInfo , 2019-02-02 11:02:04,130
CorrelationID=1==, CaseID=2 StartProcess=ReviewInfo , 2019-02-02 11:02:03,130
CorrelationID=1==, CaseID=2  Intent=OrderScheduling 2019-02-02 11:02:02,130

I have a list of processes for my application. What I would need to find is the screentime between events.

That is I need to find the screen time for a particular intent.

I have tried using transaction to group the event with starttime and end time, but somehow, I am not able to find the screen times by intent. I can find the screen times regardless

I am looking for something like the one below.

 Intent                        process .             duration
Order Scheduling .   ReviewInfo .      1sec
                                    SUbmit Info       2 sec

woodcock · ‎02-04-2019

How about this:

| makeresults 
| eval raw="CorrelationID=1==, CaseID=2 endProcess=SubmitInfo , 2019-02-02 11:02:06,130:::CorrelationID=1==, CaseID=2 STartProcess=SubmitInfo , 2019-02-02 11:02:05,130:::CorrelationID=1==, CaseID=2 EndProcess=ReviewInfo , 2019-02-02 11:02:04,130:::CorrelationID=1==, CaseID=2 StartProcess=ReviewInfo , 2019-02-02 11:02:03,130:::CorrelationID=1==, CaseID=2 Intent=OrderScheduling 2019-02-02 11:02:02,130" 
| makemv delim=":::" raw 
| mvexpand raw 
| rename raw AS _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| rex "^CorrelationID=(?<CorrelationID>\d+)\S+\s+CaseID=(?<CaseID>\d+)\s+(?:(?:(?<startORstop>((?i)start|end))Process=)|(?:(?<Intent>Intent)=))(?<process>\S+).*?(?<_time>\d{4}-.*)$"
| eval _time = strptime(_time, "%Y-%m-%d %H:%M:%s,%3n")
| eval startORstop=lower(startORstop)
| appendpipe [ stats range(_time) AS duration BY CaseID CorrelationID | eval process="TOTAL"]
| stats range(_time) AS process_duration first(duration) AS total_duration BY CaseID CorrelationID process
| search process_duration>0 OR total_duration>0

chrisyounger · ‎02-04-2019

this is a better answer becuase it uses stats :thumbs_up:

chrisyounger · ‎02-04-2019

Hi @venkatrajan04

I have made this example that shows you how you can do what you want:

| makeresults 
| eval _raw = "
RAW
CorrelationID=1 CaseID=2 endProcess=SubmitInfo   2019-02-02 11:02:06
CorrelationID=1 CaseID=2 StartProcess=SubmitInfo 2019-02-02 11:02:05
CorrelationID=1 CaseID=2 EndProcess=ReviewInfo   2019-02-02 11:02:04
CorrelationID=1 CaseID=2 StartProcess=ReviewInfo 2019-02-02 11:02:03
CorrelationID=1 CaseID=2 Intent=OrderScheduling  2019-02-02 11:02:02" 
| multikv 
| extract 
| rex "\S+\s+\S+\s+[^=]+=(?<the_intent>\S+)\s+(?<the_time>\S+\s+\S+)"
| eval _time = strptime(the_time, "%Y-%m-%d %H:%M:%S")
| sort - _time
| transaction CorrelationID CaseID the_intent
| table CorrelationID CaseID the_intent duration eventcount

Remember that _time has to be in specific order for transaction to work properly.

Hope this solves your problem.

How do you find the time difference for fields within transactions?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How do you find the time difference for fields within transactions?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine