Splunk Search

How to create a search for response time to be calculated?

VijaySrrie
Builder

I have 2 events

1) request event

2) response event

I need response time to be calculated (i.e) request event time - response event time.

How to construct the query?

Labels (3)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

if you have a key (e.g. host or transaction_key) to correlate events you can use the following:

your_search
| stats earliest(_time) AS request latest(_time) AS response BY key
| eval duration=response-request

if you haven't a correlation key, you can use the thansaction command that's slower than the previous and there's the problem is you have more request or response times:

your_search
| transaction startswith="request" endswith="response"
| table _time duration

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

if you have a key (e.g. host or transaction_key) to correlate events you can use the following:

your_search
| stats earliest(_time) AS request latest(_time) AS response BY key
| eval duration=response-request

if you haven't a correlation key, you can use the thansaction command that's slower than the previous and there's the problem is you have more request or response times:

your_search
| transaction startswith="request" endswith="response"
| table _time duration

Ciao.

Giuseppe

BT
Path Finder

Hi,

 

I have the same issue where i have to calculate the total duration between request and response. the above query works but duration is not being calculated, or displayed  when i run the query :

search query |  stats earliest(dateTime) AS request latest(dateTime) AS response BY TransactionID | eval duration=response- request 

 

result for above query :

TransactionID                                                                          Request                                              Response

000877d43ef8778123243454bda780c5e5     2022-05-05 01:36:12.916      2022-05-05 01:36:13.27

Please help

0 Karma

VijaySrrie
Builder

vijaysri_0-1617092225166.png

 

In most cases the request and response time is same, so, I should get the result as "0" but I am getting wrong results.

0 Karma

VijaySrrie
Builder

The response_time produced will be in seconds or milliseconds?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

epochtime is expressed in second, so the difference will be in seconds.

Ciao.

Giuseppe

0 Karma

BT
Path Finder

I have the same issue where i have to calculate the total duration between request and response. the above query works but duration is not being calculated, or displayed  when i run the query :

search query |  stats earliest(dateTime) AS request latest(dateTime) AS response BY TransactionID | eval duration=response- request 

 

result for above query :

TransactionID                                                                          Request                                              Response

000877d43ef8778123243454bda780c5e5     2022-05-05 01:36:12.916      2022-05-05 01:36:13.27

Please help

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...