Splunk Search

How to generate a search that will calculate response time based on my event?


I have to take response time from given 12/07/2016 07:36:49 :: :: 090A24936 Req. : 07:36:49:450 --- 090A24936 Reply : 07:36:49:872 event. can anyone help on this?

0 Karma


Try this

base search | rex "Req.*\s(?<start>\d+:\d+:\d+:\d+)[\s\S]+\s(?<end>\d+:\d+:\d+:\d+)" | eval start=strptime(start, "%H:"%M:"%S.%3N")  | eval end=strptime(end, "%H:"%M:"%S.%3N") | eval duration=end-start | eval duration=tostring(duration, "duration")
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!