How do you find the time difference for fields wit...

venkatrajan04 · ‎02-04-2019

CorrelationID=1==, CaseID=2 endProcess=SubmitInfo , 2019-02-02 11:02:06,130
CorrelationID=1==, CaseID=2 STartProcess=SubmitInfo , 2019-02-02 11:02:05,130
CorrelationID=1==, CaseID=2 EndProcess=ReviewInfo , 2019-02-02 11:02:04,130
CorrelationID=1==, CaseID=2 StartProcess=ReviewInfo , 2019-02-02 11:02:03,130
CorrelationID=1==, CaseID=2  Intent=OrderScheduling 2019-02-02 11:02:02,130

I have a list of processes for my application. What I would need to find is the screentime between events.

That is I need to find the screen time for a particular intent.

I have tried using transaction to group the event with starttime and end time, but somehow, I am not able to find the screen times by intent. I can find the screen times regardless

I am looking for something like the one below.

 Intent                        process .             duration
Order Scheduling .   ReviewInfo .      1sec
                                    SUbmit Info       2 sec

woodcock · ‎02-04-2019

How about this:

| makeresults 
| eval raw="CorrelationID=1==, CaseID=2 endProcess=SubmitInfo , 2019-02-02 11:02:06,130:::CorrelationID=1==, CaseID=2 STartProcess=SubmitInfo , 2019-02-02 11:02:05,130:::CorrelationID=1==, CaseID=2 EndProcess=ReviewInfo , 2019-02-02 11:02:04,130:::CorrelationID=1==, CaseID=2 StartProcess=ReviewInfo , 2019-02-02 11:02:03,130:::CorrelationID=1==, CaseID=2 Intent=OrderScheduling 2019-02-02 11:02:02,130" 
| makemv delim=":::" raw 
| mvexpand raw 
| rename raw AS _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| rex "^CorrelationID=(?<CorrelationID>\d+)\S+\s+CaseID=(?<CaseID>\d+)\s+(?:(?:(?<startORstop>((?i)start|end))Process=)|(?:(?<Intent>Intent)=))(?<process>\S+).*?(?<_time>\d{4}-.*)$"
| eval _time = strptime(_time, "%Y-%m-%d %H:%M:%s,%3n")
| eval startORstop=lower(startORstop)
| appendpipe [ stats range(_time) AS duration BY CaseID CorrelationID | eval process="TOTAL"]
| stats range(_time) AS process_duration first(duration) AS total_duration BY CaseID CorrelationID process
| search process_duration>0 OR total_duration>0

chrisyounger · ‎02-04-2019

this is a better answer becuase it uses stats :thumbs_up:

chrisyounger · ‎02-04-2019

Hi @venkatrajan04

I have made this example that shows you how you can do what you want:

| makeresults 
| eval _raw = "
RAW
CorrelationID=1 CaseID=2 endProcess=SubmitInfo   2019-02-02 11:02:06
CorrelationID=1 CaseID=2 StartProcess=SubmitInfo 2019-02-02 11:02:05
CorrelationID=1 CaseID=2 EndProcess=ReviewInfo   2019-02-02 11:02:04
CorrelationID=1 CaseID=2 StartProcess=ReviewInfo 2019-02-02 11:02:03
CorrelationID=1 CaseID=2 Intent=OrderScheduling  2019-02-02 11:02:02" 
| multikv 
| extract 
| rex "\S+\s+\S+\s+[^=]+=(?<the_intent>\S+)\s+(?<the_time>\S+\s+\S+)"
| eval _time = strptime(the_time, "%Y-%m-%d %H:%M:%S")
| sort - _time
| transaction CorrelationID CaseID the_intent
| table CorrelationID CaseID the_intent duration eventcount

Remember that _time has to be in specific order for transaction to work properly.

Hope this solves your problem.

How do you find the time difference for fields within transactions?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms