Splunk Search

How to edit my search to separate values in a column into two columns in my resulting table?

Explorer

I have the table like this:

time           info    id     response time
start time1    in      571          
end time1      out     571    10.01
start time2    in      560               
end time2      out     560    11.01

but I want to display it like this:

starttime1     end time1     id     responsetime
starttime2     end time2     id     responsetime

My search is like this:

index=**** source="*****_****"   "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Outbound Message" OR "Inbound Message" |rex "(?.{23})"|rex field=_raw "INFO  :(?.*)"|rex field=_raw "ID:(?.*)"|sort _time|streamstats current=f last(_time) as LastTime by ID,source|eval ResponseTime=_time-LastTime|sort -ID|table Time,INFO,ID,ResponseTime

I have attached the table pic too.
alt text
Can anybody help please? Thanks in advance.

0 Karma

Legend

Try this

index=**** source="*****_****"   "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Outbound Message" OR "Inbound Message" | rex "(?<info>Inbound|Outbound)" | rex "ID:(?<id>.*)" | chart earliest(_time) as time over id by info | eval responsetime=outbound-inbound | eval responsetime=tostring(responsetime, "duration") | convert ctime(*bound) AS *bound
0 Karma

Explorer

Thanks sundar..it looks somewhat working but I have duplicates in the id's but when am searching the different sources I can achieve that cloud you please tell me where I can include source in my code.

0 Karma

Legend

What do you mean "duplicates in the id"? Try adding this before the chart segment. | eval id=source."::".id

0 Karma

Builder
| eval starttime=if(INFO="Inbound Message", Time, null())
| eval endtime=if(INFO="Outbound Message", Time, null()
| stats values(starttime) AS starttime values(endtime) AS endtime values(ResponseTime) by ID

Above should get you close.

0 Karma

Explorer

yes ...they have duplicates id's

0 Karma

Explorer

am not getting any results in the Time field..

0 Karma

Builder

You had a Time field in the table, was assuming you would append what I posted onto your query.

Are the IDs unique or do they repeat? Whats max response time? How many events would you search over... if only a few thousand transaction could be a good fit.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!