Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the average duration of each steps within a transaction?

RobertEttinger8
Explorer
‎09-02-2019 09:12 AM

Hi, I have events indexed in the following format:

type=a transactionID=xxxxxxxxxxx status=Created lastUpdateTime=_time
type=a transactionID=xxxxxxxxxxx status=Processing lastUpdateTime=_time
type=a transactionID=xxxxxxxxxxx status=Held lastUpdateTime=_time
type=a transactionID=xxxxxxxxxxx status=Completed lastUpdateTime=_time

type=b transactionID=yyyyyyyyyyy status=Created lastUpdateTime=_time
type=b transactionID=yyyyyyyyyyy status=Processing lastUpdateTime=_time
type=b transactionID=yyyyyyyyyyy status=Held lastUpdateTime=_time
type=b transactionID=yyyyyyyyyyy status=Completed lastUpdateTime=_time

Although it's easy to calculate the duration of each step (status change) for one transaction (I can use delta or autoregress lastUpdateTime on a eval'ed duration), how can I calculate the average duration of each step per type for a given day, so I can plot an average line on a chart against a particular transaction?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-03-2019 06:03 AM

@RobertEttinger80 ,

Try and verify against your data

"your search"
|sort transactionID,lastUpdateTime
|streamstats current=f window=1 last(lastUpdateTime) as prev by transactionID,type
|eval diff=lastUpdateTime-prev|fillnull value=0 diff
|eventstats avg(eval(if(status=="Created",diff,null()))) as Created
            ,avg(eval(if(status=="Processing",diff,null()))) as Processing
            ,avg(eval(if(status=="Held",diff,null()))) as Held
            ,avg(eval(if(status=="Completed",diff,null()))) as Completed
            by type                
|fields - diff,prev

You may replace eventstats with stats if you want to display only the avg.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-03-2019 06:03 AM

@RobertEttinger80 ,

Try and verify against your data

"your search"
|sort transactionID,lastUpdateTime
|streamstats current=f window=1 last(lastUpdateTime) as prev by transactionID,type
|eval diff=lastUpdateTime-prev|fillnull value=0 diff
|eventstats avg(eval(if(status=="Created",diff,null()))) as Created
            ,avg(eval(if(status=="Processing",diff,null()))) as Processing
            ,avg(eval(if(status=="Held",diff,null()))) as Held
            ,avg(eval(if(status=="Completed",diff,null()))) as Completed
            by type                
|fields - diff,prev

You may replace eventstats with stats if you want to display only the avg.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...