Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count events in a time frame based on a time elapsed field

CarbonCriterium
Path Finder
‎06-08-2022 06:57 AM

What is the is the best approach to creating a field that shows the number of incomplete requests in a given period of time?  

  • For the machine in question, events are logged when it completes the Request-Response Loop.   
  • I have a field `time_taken` which shows, in milliseconds, how long the Request-Response Loop has taken. 
  • I have already done the following, now how do I evaluate the total number of `open_requests`  for each second?

 

| eval responded = _time
| eval requested = _time - time_taken

| eval responded = strftime(responded ,"%Y/%m/%d %H:%M:%S")
| eval requested = strftime(requested ,"%Y/%m/%d %H:%M:%S")

| eval open_requests = ??? 

| table _time open_requests
| sort - _time

 

 

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-08-2022 09:07 AM

It looks like the challenge is how to define the requirement, i.e., the difference between _time at the beginning of the pseudo code which you use as a marker of "responded", and _time at the end of the pseudo code which you intend as a marker of clock unit (second).

I assume that fields _time and time_taken, therefore responded and requested as well, are all in time format, i.e., can be used in numeric comparisons.  Ignoring the strftime() calculations which are meant for display only, the following can give you something meaningful:

| eval responded = _time
| eval requested = _time - time_taken
| bin _time span=1s ``` chop _time into 1-s bins ```
| where requested < _time AND time_taken > 1s ``` many ways to construct this, depending on interpretation and preference ```
| timechart count

Hope this helps.

Reply

CarbonCriterium
Path Finder
‎06-08-2022 02:44 PM

Thanks, I eventually came to something similar!  I think this is the solution I am after, unless you can spot a hole in the logic.

 

| eval seconds_taken = time_taken/1000
| eval responded = _time, requested = _time - seconds_taken
| where requested <= responded AND seconds_taken > 0
``` | where requested <= responded AND seconds_taken >= 0 ```
| timechart count span=1s

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-09-2022 04:51 AM

As long as you test a variety of data manually and are satisfied with the results, there should be no concern.

This said, both conditions "requested <= responded" and "seconds_taken > 0" will always be true.  Shouldn't it be "seconds_taken > 1"? ("requested <= responded" is always true.)  At the bottom of this, any event in which time_taken > 1000 would be characterized as "open request" because you wanted to count from the end of each second.

To get the results logically sound, you also want to shift time axis according to requested, something like

| eval seconds_taken = time_taken/1000
| eval responded = _time, requested = _time - seconds_taken
| where seconds_taken > 1
| rename requested AS _time
| timechart count span=1s

On the other hand, now that I look it from this angle, there's another consideration that needs attention: If an event's seconds_taken > 2 but < 3, the event should be counted as "open request" in two 1s bins; the "open" state will be concurrent with other "open" requests (older and newer) for the entire duration.  Effectively, you would be stacking Gantt charts.

I faced a very similar problem years ago that somesoni2 helped solve.  You can see the answer in https://community.splunk.com/t5/Splunk-Search/How-to-compute-concurrent-members-in-events/m-p/112163...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...