Splunk Search

How to calculate the delta between two time intervals for sending messages?

metylkinandrey
Communicator

Good afternoon! We receive messages on splunk.

The task is as follows: there is a time period between the first message and the second, and also between the second and the third. The task is that you need to somehow calculate the delta between these intervals and display it on the dashboard. This is real? And the question is, how can I do this? Is there a rough example? Unfortunately, I have not worked with splunk at all before, so I don’t even know where to start. If you need leading questions, I'm ready to answer.

Labels (1)
Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this (runanywhere sample, change first one with your base search)

index = _internal sourcetype=splunk_web_access 
|  table _time 
|  delta _time as timediff 

  

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this (runanywhere sample, change first one with your base search)

index = _internal sourcetype=splunk_web_access 
|  table _time 
|  delta _time as timediff 

  

metylkinandrey
Communicator

Adding "| delta _time as timediff"" in my query:

```

index="bl_logging" sourcetype="testsystem-2"
| transaction maxpause=5m srcMsgId Correlation_srcMsgId messageId
| table _time srcMsgId Correlation_srcMsgId messageId duration eventcount
| delta _time as timediff

```

Works great! Thanks a lot!

But as it turned out, my task is a little more difficult.

delta _time as timediff - works great with messages that arrive sequentially, but there is one problem: messages arrive chaotically from different sources. As it turned out, I need to calculate the delta from messages in one thread. Messages in the same thread have a common srcMsgId (not different as I thought), but each message has an individual messageId. Thus, I need the message threads to be grouped by srcMsgId, and the delta is calculated from the messages strictly in this thread (group). Calculate the interval between the first and second messages in the group, the second and third, etc.

Perhaps you know how to edit my request?

 

 

0 Karma

somesoni2
SplunkTrust
SplunkTrust

There might not be an efficient way to do that. You'll have to sort your data by srcMsgId (and time) and then use Delta.

Or you can use following streamstats version of performing the same.

index="bl_logging" sourcetype="testsystem-2"
| transaction maxpause=5m srcMsgId Correlation_srcMsgId messageId
| table _time srcMsgId Correlation_srcMsgId messageId duration eventcount
| sort srcMsgId _time
| streamstats current=f window=1 values(_time) as prevTime by subject 
| eval timeDiff=_time-prevTime

 

metylkinandrey
Communicator

Yes, it works, thanks a lot!

```

index="bl_logging" sourcetype="testsystem-2"

| transaction maxpause=5m srcMsgId Correlation_srcMsgId messageId

| table _time srcMsgId Correlation_srcMsgId messageId duration eventcount

| sort srcMsgId _time

| streamstats current=f window=1 values(_time) as prevTime by subject

| eval timeDiff=_time-prevTime

| delta _time as timediff

I added: | delta _time as timediff

```

I checked everything works as it should. Thanks again!

 

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...