2013-09-20 16:53:04,723 INFO[Thread-3]EndTime=20/09/2013 16:53:04 TransactionID=A, Event=completed, Result=sent
2013-09-20 16:52:04,723 INFO[Thread-3]StartTime=20/09/2013 16:52:04 TransactionID=A, Event=start_process
If i need to calculate the total time for the above transaction (time taken of event=start_process - time taken for event=completed), how to go abt doing it?
as sowings points out, the transaction command will compute the duration for you, automatically. If you have very long transactions, you might be better off performance wise with stats
;
...| stats min(_time) as min_t max(_time) as max_t by TranasactionID | eval dur = max_t - min_t
The transaction command creates a field called duration. In seconds. Done.
search source="your files" | reverse | transaction TransactionID | eval TimeTaken=_duration | fields _time, TransactionID, TimeTaken | sort _time, TransactionID?
Will that join the events as needed on TransactionID and then zoom in on the fields you need ?
If not I'm possibly not understanding your requirements fully
I've just recently used transaction and also delta to help get end to end timings for events
In one case I resorted to using delta because I could not get the events into Splunk exactly right
Otherwise I think transaction is simpler
Just a comment: "|reverse" is overkill here. Transaction understands that it should be in time order.
Could this be done using the | reverse | transaction TransactionId?
The reverse should ensure that the start_process is listed before completed
The transaction will join separate events into one combined event = a transaction
- and every unique value of TranscationID results in multiple transactions
Splunk will automatically create a new field = _duration for you which is the difference between first and last event in the combined event.
So you don't need to even do a time difference between the fields yourself
nb: I note that the date and times for the events are identical in your quoted example - if there is no difference in log time NOR in the event details themselves, sadly _duration may prove to be 0?
No need to reverse
. Splunk will sort out the transaction anyway, as long as you're within reasonable limits regarding total transaction length and max time between events.
see the docs for transaction
.
what i meant is that i want to have the below resulst for above lines of event based on event=start_process - event=completed for every transaction.
TransactionID Time taken (1sec)
A 60
B 90
C 20 ...
etc