Splunk Search

How to find in between duration between three transaction event?

limalbert
Path Finder

Hi,

How can I find in between duration between three transaction event? For example, the duration1 between mod1 and mod2, and duration2 between mod2 and mod3. My current query is taking a while because I'm appending two searches. how can I improve it
Ex:

user type time
user1 mod1 10:00
user1 mod2 11:00
user1 mod3 13:00

Expected result

user      durationMod1Mod2  durationMod2Mod3
user1          1 hour           2 hours

Current code:

base search ...

| transaction user startswith=eval(status="mod1") endswith=eval(status="mod2")  
| rename duration as duration1
| append [base search ...
  | transaction user startswith=eval(status="mod2") endswith=eval(status="mod3")
   | rename duration as duration2 ]
| stats values(duration1), values(duration1)  by user
0 Karma
1 Solution

to4kawa
Ultra Champion
base search ...
| stats range(eval(if(status="mod1" OR status="mod2" OR status="mod3", _time, NULL))) as duration by user

View solution in original post

0 Karma

to4kawa
Ultra Champion
base search ...
| stats range(eval(if(status="mod1" OR status="mod2" OR status="mod3", _time, NULL))) as duration by user
0 Karma

limalbert
Path Finder

Thank you! This works for me.

base search ...
| stats range(eval(if(status="mod1" OR status="mod2" OR status="mod3", _time, NULL))) as duration1, range(eval(if(status="mod2" OR status="mod3", _time, NULL))) as duration2 by user
0 Karma

arjunpkishore5
Motivator

Can you post your expected output? I also don't see the field duration in your data, nor do i see it being calculated here.

0 Karma

limalbert
Path Finder

Expected result is added. Transaction command actually created duration.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...