Splunk Search

## How to find the duration for order submission to each suborder process.

New Member

I am working for a product where I will have one order number, it has multiple suborders.
Once each suborder processes, I will get the suborder number and main order number.
I need to find the duration for order submission to each suborder process.

For example:
my order is abc, sub orders i have 1,2,3
my result set should be
order sub order duration
abc 1 10
abc 2 23
abc 3 15

When I use transaction for this search I am getting duration between main order submission to last sub order processed.
How do I get individual duration?

Tags (3)
1 Solution
SplunkTrust

Try this:

``````(sourcetype="source1" AuditLog: A=CR)
| join OrderNumber [search (source="source2" Source=RESPONSE) | stats min(_time) AS start by OrderNumber]
| eval duration = _time - start
``````

Explanation:
sub search to get the time for each order number and the join the result using the order number in the sub order events making the order time available in every sub order. from there you can just calcule the duration using eval.

------------
Hope I was able to help you. If so, an upvote would be appreciated.
SplunkTrust

Try this:

``````(sourcetype="source1" AuditLog: A=CR)
| join OrderNumber [search (source="source2" Source=RESPONSE) | stats min(_time) AS start by OrderNumber]
| eval duration = _time - start
``````

Explanation:
sub search to get the time for each order number and the join the result using the order number in the sub order events making the order time available in every sub order. from there you can just calcule the duration using eval.

------------
Hope I was able to help you. If so, an upvote would be appreciated.
New Member

Thanks it worked for me

Legend

@ravi08402 please add more details to the events from your sub order that help you identify that Sub Order is being processed and processing has completed. Also is there a state in the main order that identifies it starting and completion?

What is the current transaction command you are using.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
New Member

@niketnilay when i submit order the log looks like below.

2019-08-05 21:27:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550

after request processed, we can see individual sub line (sub order )details as below

2019-08-05 21:27:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=5,Status=Success
2019-08-05 21:29:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=1,Status=Success
2019-08-05 21:27:42,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=2,Status=Success
2019-08-05 21:28:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=3,Status=Success
2019-08-05 21:27:12,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=4,Status=Fail

When i use this query all possible events are forming as one event.
(source="source2" Source=RESPONSE) OR (sourcetype="source1" AuditLog: A=CR) | transaction OrderNumber duration

i need to know time difference between main line to each sub line processing duration.

SplunkTrust

are the timestamps in your example data correct?
is there a relation between LineSeqNumber and timestamp?
Is it safe to assume the order happens before the sub orders? (its not the case in your example data)

------------
Hope I was able to help you. If so, an upvote would be appreciated.
New Member

2019-08-05 21:26:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550

after request processed, we can see individual sub line (sub order )details as below

2019-08-05 21:27:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=5,Status=Success
2019-08-05 21:29:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=1,Status=Success
2019-08-05 21:27:42,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=2,Status=Success
2019-08-05 21:28:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=3,Status=Success
2019-08-05 21:27:12,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=4,Status=Fail

corrected the timestamp. No there is no relation between time stamp and LineSeqNumber.

Get Updates on the Splunk Community!