Splunk Search

How to edit my transaction search to calculate duration?

mprreddy51
Explorer

Hi Folks,

How to calculate the time below scenario(same accno). Using transaction.

20160719T181321.405 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234" 
20160719T181320.400 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234" 

20160719T181231.906 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234" 
20160719T181230.902 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234"

Current Search:

index=PQRST sourcetype=TEST SNAME=DEMO |  rex "(?\d{8}T\d{6}\.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES" |  eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0))|table ACCNO,duration

Output:

ACCNO        duration
20161234     1.05
20161234     1.04

Thanks,
P

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this runanywhere sample (from your data in question). This does calculate the duration as your expectation. If this is not what you want, could you provide the table you're expecting
Everything before rex is to generate sample data.

| gentimes start=-1 | eval temp="20160719T181321.405 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181320.400 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181231.906 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181230.902 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | extract kvdelim="=" 
|   rex "(?<pt>\d{8}T\d{6}\.\d{3})" | eval _time=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES"

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this runanywhere sample (from your data in question). This does calculate the duration as your expectation. If this is not what you want, could you provide the table you're expecting
Everything before rex is to generate sample data.

| gentimes start=-1 | eval temp="20160719T181321.405 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181320.400 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181231.906 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181230.902 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | extract kvdelim="=" 
|   rex "(?<pt>\d{8}T\d{6}\.\d{3})" | eval _time=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES"
0 Karma

mprreddy51
Explorer

Hi @somesoni2

I have a big events,I made short, and 1000's of events like this.for each ACCNO there will be 2 REQ and 2 RES like I shown.Some times there may be One REQ and One RES also.I want to caluclate the time taken first req and first res for same accno.example:If there are 2 request and 2 response for same accno,then I should get the time taken first req and first res, tike taken by second req and second res.

expected output:

ACCNO DURATION
20161234 1.05(Difference between 1st req and first res)
20161234 1.04(difference between 2nd req and second res)
similar for other accno also......

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=PQRST sourcetype=TEST SNAME=DEMO MESSAGE="RES"  OR MESSAGE="REQ"|  rex "(?\d{8}T\d{6}\.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES" |  eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0))|table ACCNO,duration
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Duration is calculated automatically by the transaction command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mprreddy51
Explorer

I know duration will come automatically with transaction.

I want the below format for the above data.Calculation should be first "REQ" and first "RES" time and same way second REQ and second RES time.

ACCNO duration
20161234 1.05
20161234 1.04

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...