Hi Folks,
How to calculate the time below scenario(same accno). Using transaction.
20160719T181321.405 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234" 
20160719T181320.400 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234" 
20160719T181231.906 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234" 
20160719T181230.902 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234"
Current Search:
index=PQRST sourcetype=TEST SNAME=DEMO |  rex "(?\d{8}T\d{6}\.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES" |  eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0))|table ACCNO,duration
Output:
ACCNO        duration
20161234     1.05
20161234     1.04
Thanks,
P
 
					
				
		
Try this runanywhere sample (from your data in question). This does calculate the duration as your expectation. If this is not what you want, could you provide the table you're expecting
Everything before rex is to generate sample data.
| gentimes start=-1 | eval temp="20160719T181321.405 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181320.400 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181231.906 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181230.902 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | extract kvdelim="=" 
|   rex "(?<pt>\d{8}T\d{6}\.\d{3})" | eval _time=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES"
 
					
				
		
Try this runanywhere sample (from your data in question). This does calculate the duration as your expectation. If this is not what you want, could you provide the table you're expecting
Everything before rex is to generate sample data.
| gentimes start=-1 | eval temp="20160719T181321.405 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181320.400 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181231.906 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181230.902 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | extract kvdelim="=" 
|   rex "(?<pt>\d{8}T\d{6}\.\d{3})" | eval _time=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES"
Hi @somesoni2
I have a big events,I made short, and 1000's of events like this.for each ACCNO there will be 2 REQ and 2 RES like I shown.Some times there may be One REQ and One RES also.I want to caluclate the time taken first req and first res for same accno.example:If there are 2 request and 2 response for same accno,then I should get the time taken first req and first res, tike taken by second req and second res.
expected output:
ACCNO       DURATION
20161234    1.05(Difference between 1st req and first res)
20161234    1.04(difference between 2nd req and second res)
 similar for other accno also......
 
					
				
		
Give this a try
index=PQRST sourcetype=TEST SNAME=DEMO MESSAGE="RES"  OR MESSAGE="REQ"|  rex "(?\d{8}T\d{6}\.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES" |  eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0))|table ACCNO,duration
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Duration is calculated automatically by the transaction command.
I know duration will come automatically with transaction.
I want the below format for the above data.Calculation should be first "REQ" and first "RES" time and same way second REQ and second RES time.
ACCNO        duration
 20161234     1.05
 20161234     1.04
