Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the average duration of each steps within a transaction?

RobertEttinger8
Loves-to-Learn Lots
‎09-02-2019 09:12 AM

Hi, I have events indexed in the following format:

type=a transactionID=xxxxxxxxxxx status=Created lastUpdateTime=_time
type=a transactionID=xxxxxxxxxxx status=Processing lastUpdateTime=_time
type=a transactionID=xxxxxxxxxxx status=Held lastUpdateTime=_time
type=a transactionID=xxxxxxxxxxx status=Completed lastUpdateTime=_time

type=b transactionID=yyyyyyyyyyy status=Created lastUpdateTime=_time
type=b transactionID=yyyyyyyyyyy status=Processing lastUpdateTime=_time
type=b transactionID=yyyyyyyyyyy status=Held lastUpdateTime=_time
type=b transactionID=yyyyyyyyyyy status=Completed lastUpdateTime=_time

Although it's easy to calculate the duration of each step (status change) for one transaction (I can use delta or autoregress lastUpdateTime on a eval'ed duration), how can I calculate the average duration of each step per type for a given day, so I can plot an average line on a chart against a particular transaction?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎09-03-2019 06:03 AM

@RobertEttinger80 ,

Try and verify against your data

"your search"
|sort transactionID,lastUpdateTime
|streamstats current=f window=1 last(lastUpdateTime) as prev by transactionID,type
|eval diff=lastUpdateTime-prev|fillnull value=0 diff
|eventstats avg(eval(if(status=="Created",diff,null()))) as Created
            ,avg(eval(if(status=="Processing",diff,null()))) as Processing
            ,avg(eval(if(status=="Held",diff,null()))) as Held
            ,avg(eval(if(status=="Completed",diff,null()))) as Completed
            by type                
|fields - diff,prev

You may replace eventstats with stats if you want to display only the avg.

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎09-03-2019 06:03 AM

@RobertEttinger80 ,

Try and verify against your data

"your search"
|sort transactionID,lastUpdateTime
|streamstats current=f window=1 last(lastUpdateTime) as prev by transactionID,type
|eval diff=lastUpdateTime-prev|fillnull value=0 diff
|eventstats avg(eval(if(status=="Created",diff,null()))) as Created
            ,avg(eval(if(status=="Processing",diff,null()))) as Processing
            ,avg(eval(if(status=="Held",diff,null()))) as Held
            ,avg(eval(if(status=="Completed",diff,null()))) as Completed
            by type                
|fields - diff,prev

You may replace eventstats with stats if you want to display only the avg.

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...