Splunk Search

How to find the duration for order submission to each suborder process.

New Member

I am working for a product where I will have one order number, it has multiple suborders.
Once each suborder processes, I will get the suborder number and main order number.
I need to find the duration for order submission to each suborder process.

For example:
my order is abc, sub orders i have 1,2,3
my result set should be
order sub order duration
abc 1 10
abc 2 23
abc 3 15

When I use transaction for this search I am getting duration between main order submission to last sub order processed.
How do I get individual duration?

0 Karma
1 Solution

Motivator

Try this:

(sourcetype="source1" AuditLog: A=CR) 
| join OrderNumber [search (source="source2" Source=RESPONSE) | stats min(_time) AS start by OrderNumber]
| eval duration = _time - start

Explanation:
sub search to get the time for each order number and the join the result using the order number in the sub order events making the order time available in every sub order. from there you can just calcule the duration using eval.

------------
Hope I was able to help you. If so, an upvote would be appreciated.

View solution in original post

0 Karma

Motivator

Try this:

(sourcetype="source1" AuditLog: A=CR) 
| join OrderNumber [search (source="source2" Source=RESPONSE) | stats min(_time) AS start by OrderNumber]
| eval duration = _time - start

Explanation:
sub search to get the time for each order number and the join the result using the order number in the sub order events making the order time available in every sub order. from there you can just calcule the duration using eval.

------------
Hope I was able to help you. If so, an upvote would be appreciated.

View solution in original post

0 Karma

New Member

Thanks it worked for me

0 Karma

SplunkTrust
SplunkTrust

@ravi08402 please add more details to the events from your sub order that help you identify that Sub Order is being processed and processing has completed. Also is there a state in the main order that identifies it starting and completion?

What is the current transaction command you are using.

Please ensure to mock/anonymize any sensitive information in your data/code before posting on Splunk Answers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

@niketnilay when i submit order the log looks like below.

2019-08-05 21:27:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550

after request processed, we can see individual sub line (sub order )details as below

2019-08-05 21:27:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=5,Status=Success
2019-08-05 21:29:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=1,Status=Success
2019-08-05 21:27:42,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=2,Status=Success
2019-08-05 21:28:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=3,Status=Success
2019-08-05 21:27:12,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=4,Status=Fail

When i use this query all possible events are forming as one event.
(source="source2" Source=RESPONSE) OR (sourcetype="source1" AuditLog: A=CR) | transaction OrderNumber duration

i need to know time difference between main line to each sub line processing duration.

0 Karma

Motivator

are the timestamps in your example data correct?
is there a relation between LineSeqNumber and timestamp?
Is it safe to assume the order happens before the sub orders? (its not the case in your example data)

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

New Member

2019-08-05 21:26:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550

after request processed, we can see individual sub line (sub order )details as below

2019-08-05 21:27:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=5,Status=Success
2019-08-05 21:29:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=1,Status=Success
2019-08-05 21:27:42,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=2,Status=Success
2019-08-05 21:28:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=3,Status=Success
2019-08-05 21:27:12,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=4,Status=Fail

corrected the timestamp. No there is no relation between time stamp and LineSeqNumber.

0 Karma