Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to calculate duration difference between event...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have the following logs:
2019-05-30 14:39:00,115 traceId=AAAAAA msg=Incoming with body {"parameters":[{"dataType":0,"value":"{\"code\":\"OPEN\",....}...}]}
2019-05-30 14:43:56,778 INFO traceId=AAAAAA msg=Json Object Before n .. MqttMessageModel [sessionId=111, code=SENT, ...]
And I would like to get the time difference between these two events/logs. I need to know the difference depending on the code. As the code changes from OPEN to SENT, how long did it take?
In an ideal scenario if I had correct logs I would use the following.
But in my case how can I get the time difference between the events?
host=host" source="source" code="OPEN" OR code="SENT"
| transaction traceId startswith=OPEN endswith=SENT
| table duration _time traceId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @amunag439 ,
Your ideal world search will probably work if you take the code="OPEN" OR code="SENT" out of the initial search:
host=host" source="source" | transaction traceId startswith=OPEN endswith=SENT | table duration _time traceId
or you could adjust it to work for your data (as long as tradeId is extracted properly):
host=host" source="source" "OPEN*" OR "SENT*"
| transaction traceId startswith=OPEN endswith=SENT
| table duration _time traceId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @amunag439 ,
Your ideal world search will probably work if you take the code="OPEN" OR code="SENT" out of the initial search:
host=host" source="source" | transaction traceId startswith=OPEN endswith=SENT | table duration _time traceId
or you could adjust it to work for your data (as long as tradeId is extracted properly):
host=host" source="source" "OPEN*" OR "SENT*"
| transaction traceId startswith=OPEN endswith=SENT
| table duration _time traceId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response @jnudell_2. I have one more query related to this. What if I'm not able to extract traceId or any other common parameter/string from the logs? Does Splunk provide anything of that sort?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If there is no common string/parameter to tie events together, I'm not sure how you would be able to create a transaction. The transaction command does have several options for limiting the size of transactions by time or number of events, but the use cases where that might work are probably very small.
The whole concept of a transaction is that you have a uniquely identifying piece of information that belongs to the same chain of events.
Your Voice Matters! Help Us Shape the New Splunk Lantern Experience
September Community Champions: A Shoutout to Our Contributors!
Community Content Calendar, October Edition
