I am working for a product where I will have one order number, it has multiple suborders.
Once each suborder processes, I will get the suborder number and main order number.
I need to find the duration for order submission to each suborder process.
For example:
my order is abc, sub orders i have 1,2,3
my result set should be
order sub order duration
abc 1 10
abc 2 23
abc 3 15
When I use transaction for this search I am getting duration between main order submission to last sub order processed.
How do I get individual duration?
Try this:
(sourcetype="source1" AuditLog: A=CR)
| join OrderNumber [search (source="source2" Source=RESPONSE) | stats min(_time) AS start by OrderNumber]
| eval duration = _time - start
Explanation:
sub search to get the time for each order number and the join the result using the order number in the sub order events making the order time available in every sub order. from there you can just calcule the duration using eval.
Try this:
(sourcetype="source1" AuditLog: A=CR)
| join OrderNumber [search (source="source2" Source=RESPONSE) | stats min(_time) AS start by OrderNumber]
| eval duration = _time - start
Explanation:
sub search to get the time for each order number and the join the result using the order number in the sub order events making the order time available in every sub order. from there you can just calcule the duration using eval.
Thanks it worked for me
@ravi08402 please add more details to the events from your sub order that help you identify that Sub Order is being processed and processing has completed. Also is there a state in the main order that identifies it starting and completion?
What is the current transaction command you are using.
Please ensure to mock/anonymize any sensitive information in your data/code before posting on Splunk Answers.
@niketnilay when i submit order the log looks like below.
2019-08-05 21:27:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550
after request processed, we can see individual sub line (sub order )details as below
2019-08-05 21:27:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=5,Status=Success
2019-08-05 21:29:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=1,Status=Success
2019-08-05 21:27:42,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=2,Status=Success
2019-08-05 21:28:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=3,Status=Success
2019-08-05 21:27:12,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=4,Status=Fail
When i use this query all possible events are forming as one event.
(source="source2" Source=RESPONSE) OR (sourcetype="source1" AuditLog: A=CR) | transaction OrderNumber duration
i need to know time difference between main line to each sub line processing duration.
are the timestamps in your example data correct?
is there a relation between LineSeqNumber and timestamp?
Is it safe to assume the order happens before the sub orders? (its not the case in your example data)
2019-08-05 21:26:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550
after request processed, we can see individual sub line (sub order )details as below
2019-08-05 21:27:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=5,Status=Success
2019-08-05 21:29:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=1,Status=Success
2019-08-05 21:27:42,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=2,Status=Success
2019-08-05 21:28:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=3,Status=Success
2019-08-05 21:27:12,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=4,Status=Fail
corrected the timestamp. No there is no relation between time stamp and LineSeqNumber.