Splunk Search

How to calculate the total time taken for each transaction

thinksplunk
Engager

2013-09-20 16:53:04,723 INFO[Thread-3]EndTime=20/09/2013 16:53:04 TransactionID=A, Event=completed, Result=sent
2013-09-20 16:52:04,723 INFO[Thread-3]StartTime=20/09/2013 16:52:04 TransactionID=A, Event=start_process

If i need to calculate the total time for the above transaction (time taken of event=start_process - time taken for event=completed), how to go abt doing it?

Tags (2)
0 Karma

kristian_kolb
Ultra Champion

as sowings points out, the transaction command will compute the duration for you, automatically. If you have very long transactions, you might be better off performance wise with stats;

...| stats min(_time) as min_t max(_time) as max_t by TranasactionID | eval dur = max_t - min_t

sowings
Splunk Employee
Splunk Employee

The transaction command creates a field called duration. In seconds. Done.

miken_hg5
Explorer

search source="your files" | reverse | transaction TransactionID | eval TimeTaken=_duration | fields _time, TransactionID, TimeTaken | sort _time, TransactionID?

Will that join the events as needed on TransactionID and then zoom in on the fields you need ?

If not I'm possibly not understanding your requirements fully

I've just recently used transaction and also delta to help get end to end timings for events

In one case I resorted to using delta because I could not get the events into Splunk exactly right

Otherwise I think transaction is simpler

0 Karma

sowings
Splunk Employee
Splunk Employee

Just a comment: "|reverse" is overkill here. Transaction understands that it should be in time order.

0 Karma

miken_hg5
Explorer

Could this be done using the | reverse | transaction TransactionId?

The reverse should ensure that the start_process is listed before completed

The transaction will join separate events into one combined event = a transaction
- and every unique value of TranscationID results in multiple transactions

Splunk will automatically create a new field = _duration for you which is the difference between first and last event in the combined event.

So you don't need to even do a time difference between the fields yourself

nb: I note that the date and times for the events are identical in your quoted example - if there is no difference in log time NOR in the event details themselves, sadly _duration may prove to be 0?

0 Karma

kristian_kolb
Ultra Champion

No need to reverse. Splunk will sort out the transaction anyway, as long as you're within reasonable limits regarding total transaction length and max time between events.

see the docs for transaction.

0 Karma

thinksplunk
Engager

what i meant is that i want to have the below resulst for above lines of event based on event=start_process - event=completed for every transaction.

TransactionID Time taken (1sec)
A 60
B 90
C 20 ...
etc

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...