Re: How to calculated individual fail time?

WK · ‎11-12-2023

I have following data:
02:00:00 Item=A Result=success
02:00:05 Item=B Result=success
02:05:00 Item=A Result=fail
02:05:05 Item=B Result=success
02:10:00 Item=A Result=fail
02:10:05 Item=B Result=success
02:15:00 Item=A Result=success
02:15:05 Item=B Result=fail
02:20:00 Item=A Result=success
02:20:05 Item=B Result=fail
02:25:00 Item=A Result=success
02:25:05 Item=B Result=success
02:30:00 Item=A Result=success
02:30:05 Item=B Result=success
02:35:00 Item=A Result=success
02:35:05 Item=B Result=success
02:40:00 Item=A Result=success
02:40:05 Item=B Result=fail
02:45:00 Item=A Result=success
02:45:05 Item=B Result=success
02:50:00 Item=A Result=success
02:50:05 Item=B Result=success
02:55:00 Item=A Result=success
02:55:05 Item=B Result=success

My desired results:
Item StartTime EndTime Duration
A 02:05:00 02:15:00 00:10:00
B 02:15:05 02:25:05 00:10:00
B 02:40:05 02:45:05 00:05:00

I had tried transaction and streamstats but got wrong results.
Can anybody here help me to solve this problem?
Thank you.

gcusello · ‎11-12-2023

Hi @WK,

what's the condition fro grouping?

How can I recognize StartTime and EndTime?

this is one of the few situation where to use the transactin command.

if you want to trace when there's a Fail and a following Success, you could try somethin like this:

<your_search>
| transaction Item StartsWith="Result=Fail" EndsWith="Result=Success"
| eval 
   StartTime=strftime(_time,"%H:%M:%S),
   EndTime=strftime(_time+duration,"%H:%M:%S), 
   Duration=tostring(duration,"duration")
| table Item StartTime EndTime Duration

Ciao.

Giuseppe

WK · ‎11-12-2023

Thanks for your swift response.
I need to calculate the duration between first "fail" to first "success" for every Item.
Unfortunately the result is incorrect:
Item StartTime EndTime Duration
B 02:40:05 02:45:05 00:05:00
B 02:20:05 02:25:05 00:05:00
B 02:15:05 02:30:05 00:15:00 ==> should be "B 02:15:05 02:25:05 00:10:00"
A 02:10:00 02:15:00 00:05:00
A 02:05:00 02:20:00 00:15:00 ==> should be "A 02:05:00 02:15:00 00:10:00"

I'd tried this method before, however consecutive "Result=fail" causes overlapped results.

yuanliu · ‎11-13-2023

@gcusello's answer should give you the desired output. Is it possible that some events come out of order? You can use sort to make sure events are in perfect revere time order.

| sort - _time
| transaction Item startswith="Result=fail" endswith="Result=success"
| eval EndTime = _time + duration
| fieldformat EndTime = strftime(EndTime, "%F %T")
| fieldformat duration = tostring(duration, "duration")
| fields Item _time EndTime duration

Here you can rename _time as StartTime if you wish, then format it for display. For large number of events, sort can be expensive. This is one of the costs of transaction when raw events are not perfectly in order.

Here is an emulation you can play with and compare with raw data

| makeresults
| eval data = split("02:00:00 Item=A Result=success
02:00:05 Item=B Result=success
02:05:00 Item=A Result=fail
02:05:05 Item=B Result=success
02:10:00 Item=A Result=fail
02:10:05 Item=B Result=success
02:15:00 Item=A Result=success
02:15:05 Item=B Result=fail
02:20:00 Item=A Result=success
02:20:05 Item=B Result=fail
02:25:00 Item=A Result=success
02:25:05 Item=B Result=success
02:30:00 Item=A Result=success
02:30:05 Item=B Result=success
02:35:00 Item=A Result=success
02:35:05 Item=B Result=success
02:40:00 Item=A Result=success
02:40:05 Item=B Result=fail
02:45:00 Item=A Result=success
02:45:05 Item=B Result=success
02:50:00 Item=A Result=success
02:50:05 Item=B Result=success
02:55:00 Item=A Result=success
02:55:05 Item=B Result=success", "
")
| mvexpand data
| rename data as _raw
| rex "^(?<_time>\S+)"
| eval _time = strptime(_time, "%H:%M:%S")
| extract
``` data emulation above ```

Combining the two, I get

Item	_time	EndTime	duration	_raw
B	2023-11-13 02:40:05	2023-11-13 02:45:05	00:05:00	02:40:05 Item=B Result=fail 02:45:05 Item=B Result=success
B	2023-11-13 02:20:05	2023-11-13 02:25:05	00:05:00	02:20:05 Item=B Result=fail 02:25:05 Item=B Result=success
B	2023-11-13 02:15:05	2023-11-13 02:30:05	00:15:00	02:15:05 Item=B Result=fail 02:30:05 Item=B Result=success
A	2023-11-13 02:10:00	2023-11-13 02:15:00	00:05:00	02:10:00 Item=A Result=fail 02:15:00 Item=A Result=success
A	2023-11-13 02:05:00	2023-11-13 02:20:00	00:15:00	02:05:00 Item=A Result=fail 02:20:00 Item=A Result=success

WK · ‎11-13-2023

Hi,

Thanks for your response.
My desired results:
Item StartTime EndTime Duration
A 02:05:00 02:15:00 00:10:00
B 02:15:05 02:25:05 00:10:00
B 02:40:05 02:45:05 00:05:00

I had tried similar methods like your but got wrong results.
Fail duration should be calculated from first fail to first success.
Thus actual record count should be 3 instead of 5.
Sorting may not be the root cause for my question.

It seems that if there are 2 "fail" events, "transaction" commands generates 2 overlapped records.
B 02:20:05(fail) 02:25:05(success) 00:05:00
B 02:15:05(fail) 02:30:05(success) 00:15:00
Time duration of first one is included in second one.
02:30:05(success) should not be considered as the end of fail event.
02:25:05(success) is the correct one.

How to calculate individual fail time?

eval

stats

table

transaction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation