Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to calculate duration inside a LDAP transaction for different LDAP operations

sgoyal
New Member
‎09-20-2013 04:49 AM

An Example:

Sep 20 12:36:30 simxxx slapd_simxxx[14304]: conn=2045 fd=28 ACCEPT from IP=99.888.7.50:50716 (IP=0.0.0.0:636)
Sep 20 12:36:32 simxxx slapd_simxxx[14304]: conn=2045 fd=28 TLS established tls_ssf=128 ssf=128
Sep 20 12:36:31 simxxx slapd_simxxx[14304]: conn=2045 op=0 BIND dn="cn=gabel,ou=msst,o=muenchen,c=de" method=128
Sep 20 12:36:31 simxxx slapd_simxxx[14304]: conn=2045 op=0 BIND dn="cn=gabel,ou=mssgmt,o=muenchen,c=de" mech=SIMPLE ssf=0
Sep 20 12:36:32 simxxx slapd_simxxx[14304]: conn=2045 op=0 RESULT tag=97 err=0 text=
Sep 20 12:36:32 simxxx slapd_simxxx[14304]: conn=2045 op=1 ADD dn="cn=aatek,ou=aaaaahange,ou=Kess,o=aaa,c=de"
Sep 20 12:36:33 simxxx slapd_simxxx[14304]: conn=2045 op=1 RESULT tag=105 err=0 text=
Sep 20 12:36:34 simxxx slapd_simxxx[14304]: conn=2045 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1
Sep 20 12:36:34 simxxx slapd_simxxx[14304]: conn=2045 op=2 PASSMOD id="cn=aaatek,ou=dddd,ou=ken,o=dddn,c=de" new
Sep 20 12:36:34 simxxx slapd_simxxx[14304]: conn=2045 op=2 RESULT oid= err=0 text=
Sep 20 12:36:35 simxxx slapd_simxxx[14304]: conn=2045 op=3 SRCH base="cn=sssstek,ou=Psss,ou=Kess,o=sss,c=de" scope=0 deref=0 filter="(|(objectClass=inetOrgPerson))"
Sep 20 12:36:35 simxxx slapd_simxxx[14304]: conn=2045 op=3 SRCH attr=objectclass
Sep 20 12:36:36 simxxx slapd_simxxx[14304]: conn=2045 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
Sep 20 12:36:36 simxxx slapd_simxxx[14304]: conn=2045 op=4 UNBIND
Sep 20 12:36:37 simxxx slapd_simxxx[14304]: conn=2045 fd=28 closed

I want the result in a form of table

conn|op|delay|
--------------
2045|0| 00:00:01
    |1| 00:00:01
    |2| 00:00:00
    |3| 00:00:01
    |4| 00:00:00

I have declared several field extractions for the values Client_Domain which in this case is 99.888.7, also Bind_Op which is 0 and Search_Op which is 3 in this case. I have earlier written a Perl Script which could give me the desired values because I could store the value in Variables and while pattern matching in other lines, could give the value of the variable.
This is not possible in Splunk.

Can you help me out with this. Thanks to Splunk Community.

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-20-2013 06:57 AM

Something along these lines?

sourcetype=ldap | stats min(_time) as min_t max(_time) as max_t by conn, op | eval dur=tostring((max_t-min_t), "duration") | fields - min_t - max_t

/K

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-23-2013 02:38 AM

Hi sgoyal,

in addition to /K answers consider to configure your LDAP server to log the etime for each operations. This way you will get exact run times for each operation in milliseconds.

Reply

sgoyal
New Member
‎09-20-2013 05:45 AM

Many Thanks!

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-20-2013 05:42 AM

Hi sgoyal, I could help you on that but you have to wait until monday....

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...