Splunk Search

How to calculate respose time between two events

New Member

I have a table as below. I need to calculate the time difference between the below two events.

request_pid _time Milli_Sec request_type
11600 2016-11-19 17:20:50 17.262275 LeaveBidsRequest
11600 2016-11-19 17:20:51 17.803375 LeaveBidsRequest
19243 2016-11-19 17:36:51 77.376436 LeaveBidsRequest
19243 2016-11-19 17:36:53 78.502509 LeaveBidsRequest
21012 2016-11-19 17:38:38 67.263722 LeaveBidsRequest
21012 2016-11-19 17:38:38 67.678533 LeaveBidsRequest

Sample output like
request_pid Response_Time
11600 1.5411.

Can someone help me?

Tags (2)
0 Karma


I agree with @nikenilay that stats is the best way to go. But I think there is a much easier stats command to do what you want

 Your base Search  request_type="LeaveBidsRequest" 
| stats range(_time) as Response_Time  earliest(Milli_Sec) as ems latest(Milli_Sec) as lms by request_pid
| eval Response_Time = Response_Time + lms - ems | fields - lms ems

Hope this helps!

0 Karma


OPTION 1 : Using stats command
Best way to do is by Stats as it will run faster and give you control over inputs/outputs:

 Your base Search  request_type="LeaveBidsRequest" | stats count(request_pid) as eventcount min(_time) as MinTime max(_time) as  MaxTime by request_pid | search eventcount>1 | eval Response_Time=(MaxTime-MinTime) | table request_pid Response_Time

OPTION 2 : Using transaction command
You can also try transaction which is easier to write but should not be executed for longer duration resulting in several thousand event matches (which might result in slowness and orphaned records).

 Your base Search  request_type="LeaveBidsRequest" | transaction request_pid | search eventcount>1 | rename duration as  Response_Time | table request_pid Response_Time

1) Response_Time is in seconds for both examples.
2) Transaction Command computes eventcount and duration automatically (based on first and last events matched).
3) Use of maxpause, maxspan, keeporphaned, keepevicted, startswith and endswith should be considered for transaction to run faster. Nevertheless Transaction is only suitable if you provide Key field in your search like reques_pid in your Use case. Otherwise stats should be used for scenarios like this.
4) Another scenario in all Use Case would be to find orphaned records or eventcount=1, where no match for LeaveBidsRequest is found for duration> defined SLA.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Hello niketnilay,

Hope you are doing well.

Thanks for the answer. I've tried transaction already. But it gives difference in seconds.

I would like to subtract the time as below

11600 2016-11-19 17:20:50 17.262275 LeaveBidsRequest
11600 2016-11-19 17:20:51 17.803375 LeaveBidsRequest

Response_Time=(2016-11-19 17:20:51 17.803375) - (2016-11-19 17:20:50 17.262275)

Milli_Sec is stored as a separate field.

0 Karma