Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate duration between two log entries?

splunkhadi_480
Engager
‎08-16-2022 12:51 AM

i have the following two entries

 

Time Event
8/16/22
1:46:22.592 PM		 2022/08/16 13:46:22.592154:P_GUI_SERV06 :pbaho3 : 98(cli) : Exit Allocate Order on portfolio list [ABC_DPM_MM_BALANCED] with all instruments (Thread:00000001197f4730)
host = PBIPSG07source = /app/PBISG/aaa/current/msg/server.logsourcetype = prd-pbisg-server-logtimeendpos = 26timestartpos = 0
8/16/22
1:45:51.201 PM		 2022/08/16 13:45:51.201360:P_GUI_SERV06 :pbaho3 : 98(cli) : Start Allocate Order on portfolio list [ABC_DPM_MM_BALANCED] with all instruments (Thread:00000001197f4730)
host = PBIPSG07

 

The entry will start with an entry like 'Start Allocate Order' and end with "Exit Allocate Order"

 

how do i build a Splunk search to calculate the duration taken between those two event ?

 

Based on the above , i would like to build more complex search:

notice that there is ':pbaho3:' , so there will be multiple users in this case is 'pbaho3' , so how do i group the entries by specific users ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 01:11 AM

Hi @splunkhadi_480,

you have an easy way to xorrelate events using the transpose command (https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Transaction) but it depends on the firld you extracted, I suppose that you already extracted all of them:

<your_search>
| transaction portfolio_list user startswith="Start Allocate Order" endswith="Exit Allocate Order"
| table _time portfolio_list user duration

but it's a very slow command, so you could try this solution:

<your_search> ("Start Allocate Order" OR "Exit Allocate Order")
| stats earliest(_time) AS earliest latest(_time) AS latest BY portfolio_list user
| eval duration=latest-earliest
| table _time portfolio_list user duration

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 01:11 AM

Hi @splunkhadi_480,

you have an easy way to xorrelate events using the transpose command (https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Transaction) but it depends on the firld you extracted, I suppose that you already extracted all of them:

<your_search>
| transaction portfolio_list user startswith="Start Allocate Order" endswith="Exit Allocate Order"
| table _time portfolio_list user duration

but it's a very slow command, so you could try this solution:

<your_search> ("Start Allocate Order" OR "Exit Allocate Order")
| stats earliest(_time) AS earliest latest(_time) AS latest BY portfolio_list user
| eval duration=latest-earliest
| table _time portfolio_list user duration

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

splunkhadi_480
Engager
‎08-16-2022 01:16 AM

Thank you so much Giuseppe for your help

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...