- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to calculate the total time taken for each...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to calculate the total time taken for each transaction
2013-09-20 16:53:04,723 INFO[Thread-3]EndTime=20/09/2013 16:53:04 TransactionID=A, Event=completed, Result=sent
2013-09-20 16:52:04,723 INFO[Thread-3]StartTime=20/09/2013 16:52:04 TransactionID=A, Event=start_process
If i need to calculate the total time for the above transaction (time taken of event=start_process - time taken for event=completed), how to go abt doing it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as sowings points out, the transaction command will compute the duration for you, automatically. If you have very long transactions, you might be better off performance wise with stats;
...| stats min(_time) as min_t max(_time) as max_t by TranasactionID | eval dur = max_t - min_t
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The transaction command creates a field called duration. In seconds. Done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search source="your files" | reverse | transaction TransactionID | eval TimeTaken=_duration | fields _time, TransactionID, TimeTaken | sort _time, TransactionID?
Will that join the events as needed on TransactionID and then zoom in on the fields you need ?
If not I'm possibly not understanding your requirements fully
I've just recently used transaction and also delta to help get end to end timings for events
In one case I resorted to using delta because I could not get the events into Splunk exactly right
Otherwise I think transaction is simpler
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a comment: "|reverse" is overkill here. Transaction understands that it should be in time order.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could this be done using the | reverse | transaction TransactionId?
The reverse should ensure that the start_process is listed before completed
The transaction will join separate events into one combined event = a transaction
- and every unique value of TranscationID results in multiple transactions
Splunk will automatically create a new field = _duration for you which is the difference between first and last event in the combined event.
So you don't need to even do a time difference between the fields yourself
nb: I note that the date and times for the events are identical in your quoted example - if there is no difference in log time NOR in the event details themselves, sadly _duration may prove to be 0?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No need to reverse. Splunk will sort out the transaction anyway, as long as you're within reasonable limits regarding total transaction length and max time between events.
see the docs for transaction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what i meant is that i want to have the below resulst for above lines of event based on event=start_process - event=completed for every transaction.
TransactionID Time taken (1sec)
A 60
B 90
C 20 ...
etc
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
