Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to get expected output

sridharreddy
New Member
‎07-20-2016 10:23 PM

EVENT1) 20160718T164839.608 GMT INFO MESSAGE=" RES" SNAME="ABCD" ACCNO="123456"
EVENT2) 20160718T164831.111 GMT INFO MESSAGE=" REQ" SNAME="ABCD" ACCNO="123456"

EVENT3) 20160718T164822.076 GMT INFO MESSAGE=" RES" SNAME="ABCD" ACCNO="123456"
EVENT4) 20160718T164816.622 GMT INFO MESSAGE=" RES" SNAME="ABCD" ACCNO="765432"
EVENT5) 20160718T164810.655 GMT INFO MESSAGE=" REQ" SNAME="ABCD" ACCNO="123456"
EVENT6) 20160718T164802.646 GMT INFO MESSAGE=" REQ" SNAME="ABCD" ACCNO="765432"

Hi Folks,

I have a issue in splunk picking up the correct REQ and RES times in this events.

ACCNO:123456 event1(RES)-event2(REQ) =20160718T164839.608-20160718T164831.111= 8.***

ACCNO:123456 event3(RES)-event5(REQ) =20160718T164822.076-20160718T164810.655=12.***

ACCNO:765432 event4(RES)-event6(REQ) =20160718T164816.622-20160718T164802.646=14.***

My expected output:

ACCNO DURATION
123456 8. (some milli sec)
123456 12.(some milli sec)
765432 14.(some milli sec)

My current output (it is wrong scrab):
ACCNO DURATION
123456 8.497000

765432
123456 5.967000

765432

123456 19.430000

QUERY:

index=* sourcetype=* SNAME="ABCD" ACCNO=123456 OR ACCNO=765432 MESSAGE=REQ OR MESSAGE=RES| rex "(?\d{8}T\d{6}.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") | transaction SNAME startswith="REQ" endswith="RES" | eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0)) | table ACCNO, duration,

Thanks
-venkata Sridhar

0 Karma
Reply

sundareshr
Legend
‎07-21-2016 03:39 PM

Try this

index= sourcetype= SNAME="ABCD" ACCNO=123456 OR ACCNO=765432 MESSAGE=REQ OR MESSAGE=RES | reverse | streamstats count by SNAME MESSAGE | stats earliest(_time) as start latest(_time) as end by count | eval duration = end-start
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...