Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate time difference of 2 events with logs that do not have a common string?

huligesh
Engager
‎02-02-2017 02:20 PM

Hi,
I have Siebel logs like below:
event 1:
MessageFlow MsgFlowDetail 4 00005609588f0d40:0 2017-01-30 09:38:48 7676: Returned from SessionHandleMsg(200) for task 27263382, pErrStack = 0x2a2d6bf0
..
.. (after few events)
event n:
MessageFlow MsgFlowDetail 4 00005609588f0d40:0 2017-01-30 09:38:47 7676: Calling SessionHandleMsg(200) for task 27263382, pErrStack = 0x2a2d6bf0

I need to extract the timestamp and find difference to get response time data.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-02-2017 04:20 PM

If the field with value 00005609588f0d40:0 is your MessageFlowID, you can do <search> | transaction mflowID startsWith="Calling" endsWith="Returned"
After the search executes, you will have a new field called duration generated by the transaction command that gives you the delta between start and end of this "transaction".

Note: transaction is a pretty expensive command, use it over the smallest event set/time frame possible. If this produces what you want, you may be able to rewrite the search more efficiently without using transaction. You can take a look at this answer for an example.

But first things first.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-21-2017 04:31 PM

Do not use transaction; try this:

You Base Search | stats range(_time) BY mflowID
0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-02-2017 04:20 PM

If the field with value 00005609588f0d40:0 is your MessageFlowID, you can do <search> | transaction mflowID startsWith="Calling" endsWith="Returned"
After the search executes, you will have a new field called duration generated by the transaction command that gives you the delta between start and end of this "transaction".

Note: transaction is a pretty expensive command, use it over the smallest event set/time frame possible. If this produces what you want, you may be able to rewrite the search more efficiently without using transaction. You can take a look at this answer for an example.

But first things first.

Reply
Solved! Jump to solution

huligesh
Engager
‎02-03-2017 06:19 AM

Thanks for the answer.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎02-02-2017 03:28 PM

I see almost everything common between the two strings:

MessageFlow MsgFlowDetail 4 00005609588f0d40:0 2017-01-30 09:38:48 7676: Returned from SessionHandleMsg(200) for task 27263382, pErrStack = 0x2a2d6bf0
..
.. (after few events)
event n:
MessageFlow MsgFlowDetail 4 00005609588f0d40:0 2017-01-30 09:38:47 7676: Calling SessionHandleMsg(200) for task 27263382, pErrStack = 0x2a2d6bf0

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...