Splunk Search

How to get sum of durations in milliseconds?

monicateja
Explorer


1. How to get total sum of call_Duration of time for all call_Name mentioned below in splunk from ms to seconds with below details

call_Name=A
call_Duration=501
call_Name=B
call_Duration=2456
call_Name=C
call_Duration=1115
call_Name=D
call_Duration=1598
cal_Name=E
call_Duration=1621


And also I have another column (column name is E2E time)  which is total 17.677 seconds 

2. Need help in calculating total time difference for total  E2E Time - call_Duration

Labels (4)
0 Karma
1 Solution

woodcock
Esteemed Legend

|makeresults | eval _raw="
call_Name call_Duration E2E
A 501 17.677
B 2456 17.677
C 1115 17.677
D 1598 17.677
E 1621 17.677"
| multikv forceheader=1
| fields - linecount _*
| eval call_Duration = call_Duration / 1000
| stats sum(call_Duration) AS call_Duration sum(E2E) AS E2E sum(eval(call_Duration - E2E)) AS sum_diff BY call_Name

View solution in original post

0 Karma

woodcock
Esteemed Legend

|makeresults | eval _raw="
call_Name call_Duration E2E
A 501 17.677
B 2456 17.677
C 1115 17.677
D 1598 17.677
E 1621 17.677"
| multikv forceheader=1
| fields - linecount _*
| eval call_Duration = call_Duration / 1000
| stats sum(call_Duration) AS call_Duration sum(E2E) AS E2E sum(eval(call_Duration - E2E)) AS sum_diff BY call_Name

0 Karma

monicateja
Explorer

Thanks. seeing error in make results command 

0 Karma

woodcock
Esteemed Legend

Just cut it and paste it and run it AS-IS.  Do not modify anything at first.

manjunathmeti
Champion

hi @monicateja,

Try this if you need to find the sum and difference by call_Name:

 

index=indexname sourcetype=sourcetypename
| stats sum(call_Duration_sec) as call_Duration_sec, sum(E2E_time_sec) as E2E_time_sec by call_Name 
| eval time_diff=E2E_time_sec-call_Duration_sec

 

 

or this if you need the total sum for all the call_names:

 

index=indexname sourcetype=sourcetypename
| stats sum(call_Duration_sec) as call_Duration_sec, sum(E2E_time_sec) as E2E_time_sec 
| eval time_diff=E2E_time_sec-call_Duration_sec

 

 

yeahnah
Motivator

Hi @monicateja 

I'm not sure how your raw events look but hopefully this run anywhere example helps you...

 

| makeresults
| eval _raw="call_Name,call_Duration
A,501
B,2456
C,1115
D,1598
E,1621"
| multikv forceheader=1
| eval E2E_time_sec="17.677"
  ``` above just creates dummy data ```
  ``` add the following to your search ``` 
| eval call_Duration_sec=(call_Duration/1000)  ``` convert milli seconds to seconds ```
| addcoltotals call_Duration_sec  ``` sum call durations ```
| table call_Name call_Duration_sec E2E_time_sec
| filldown E2E_time_sec
| eval time_diff_sec=(E2E_time_sec - call_Duration_sec)  ``` time diff call durations to E2E time ```

 

Hope this helps

 

Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...