Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to calculate duration inside a LDAP transactio...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to calculate duration inside a LDAP transaction for different LDAP operations
sgoyal
New Member
09-20-2013
04:49 AM
An Example:
Sep 20 12:36:30 simxxx slapd_simxxx[14304]: conn=2045 fd=28 ACCEPT from IP=99.888.7.50:50716 (IP=0.0.0.0:636)
Sep 20 12:36:32 simxxx slapd_simxxx[14304]: conn=2045 fd=28 TLS established tls_ssf=128 ssf=128
Sep 20 12:36:31 simxxx slapd_simxxx[14304]: conn=2045 op=0 BIND dn="cn=gabel,ou=msst,o=muenchen,c=de" method=128
Sep 20 12:36:31 simxxx slapd_simxxx[14304]: conn=2045 op=0 BIND dn="cn=gabel,ou=mssgmt,o=muenchen,c=de" mech=SIMPLE ssf=0
Sep 20 12:36:32 simxxx slapd_simxxx[14304]: conn=2045 op=0 RESULT tag=97 err=0 text=
Sep 20 12:36:32 simxxx slapd_simxxx[14304]: conn=2045 op=1 ADD dn="cn=aatek,ou=aaaaahange,ou=Kess,o=aaa,c=de"
Sep 20 12:36:33 simxxx slapd_simxxx[14304]: conn=2045 op=1 RESULT tag=105 err=0 text=
Sep 20 12:36:34 simxxx slapd_simxxx[14304]: conn=2045 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1
Sep 20 12:36:34 simxxx slapd_simxxx[14304]: conn=2045 op=2 PASSMOD id="cn=aaatek,ou=dddd,ou=ken,o=dddn,c=de" new
Sep 20 12:36:34 simxxx slapd_simxxx[14304]: conn=2045 op=2 RESULT oid= err=0 text=
Sep 20 12:36:35 simxxx slapd_simxxx[14304]: conn=2045 op=3 SRCH base="cn=sssstek,ou=Psss,ou=Kess,o=sss,c=de" scope=0 deref=0 filter="(|(objectClass=inetOrgPerson))"
Sep 20 12:36:35 simxxx slapd_simxxx[14304]: conn=2045 op=3 SRCH attr=objectclass
Sep 20 12:36:36 simxxx slapd_simxxx[14304]: conn=2045 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
Sep 20 12:36:36 simxxx slapd_simxxx[14304]: conn=2045 op=4 UNBIND
Sep 20 12:36:37 simxxx slapd_simxxx[14304]: conn=2045 fd=28 closed
I want the result in a form of table
conn|op|delay|
--------------
2045|0| 00:00:01
|1| 00:00:01
|2| 00:00:00
|3| 00:00:01
|4| 00:00:00
I have declared several field extractions for the values Client_Domain which in this case is 99.888.7, also Bind_Op which is 0 and Search_Op which is 3 in this case. I have earlier written a Perl Script which could give me the desired values because I could store the value in Variables and while pattern matching in other lines, could give the value of the variable.
This is not possible in Splunk.
Can you help me out with this. Thanks to Splunk Community.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
09-20-2013
06:57 AM
Something along these lines?
sourcetype=ldap | stats min(_time) as min_t max(_time) as max_t by conn, op | eval dur=tostring((max_t-min_t), "duration") | fields - min_t - max_t
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-23-2013
02:38 AM
Hi sgoyal,
in addition to /K answers consider to configure your LDAP server to log the etime for each operations. This way you will get exact run times for each operation in milliseconds.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sgoyal
New Member
09-20-2013
05:45 AM
Many Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-20-2013
05:42 AM
Hi sgoyal, I could help you on that but you have to wait until monday....
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Level Up Your .conf25: Splunk Arcade Comes to Boston
With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Ready to make your IT operations smarter and more efficient? Discover how to automate Splunk alerts with Red ...
