Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get sum of durations in milliseconds?

monicateja
Explorer
‎04-11-2023 06:56 PM


1. How to get total sum of call_Duration of time for all call_Name mentioned below in splunk from ms to seconds with below details

call_Name=A
call_Duration=501
call_Name=B
call_Duration=2456
call_Name=C
call_Duration=1115
call_Name=D
call_Duration=1598
cal_Name=E
call_Duration=1621


And also I have another column (column name is E2E time)  which is total 17.677 seconds 

2. Need help in calculating total time difference for total  E2E Time - call_Duration

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-13-2023 11:34 AM

|makeresults | eval _raw="
call_Name call_Duration E2E
A 501 17.677
B 2456 17.677
C 1115 17.677
D 1598 17.677
E 1621 17.677"
| multikv forceheader=1
| fields - linecount _*
| eval call_Duration = call_Duration / 1000
| stats sum(call_Duration) AS call_Duration sum(E2E) AS E2E sum(eval(call_Duration - E2E)) AS sum_diff BY call_Name

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-13-2023 11:34 AM

|makeresults | eval _raw="
call_Name call_Duration E2E
A 501 17.677
B 2456 17.677
C 1115 17.677
D 1598 17.677
E 1621 17.677"
| multikv forceheader=1
| fields - linecount _*
| eval call_Duration = call_Duration / 1000
| stats sum(call_Duration) AS call_Duration sum(E2E) AS E2E sum(eval(call_Duration - E2E)) AS sum_diff BY call_Name

0 Karma
Reply
Solved! Jump to solution

monicateja
Explorer
‎04-13-2023 11:53 AM

Thanks. seeing error in make results command 

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-13-2023 12:21 PM

Just cut it and paste it and run it AS-IS.  Do not modify anything at first.

Reply
Solved! Jump to solution

manjunathmeti
Champion
‎04-12-2023 03:43 AM

hi @monicateja,

Try this if you need to find the sum and difference by call_Name:

 

index=indexname sourcetype=sourcetypename
| stats sum(call_Duration_sec) as call_Duration_sec, sum(E2E_time_sec) as E2E_time_sec by call_Name 
| eval time_diff=E2E_time_sec-call_Duration_sec

 

 

or this if you need the total sum for all the call_names:

 

index=indexname sourcetype=sourcetypename
| stats sum(call_Duration_sec) as call_Duration_sec, sum(E2E_time_sec) as E2E_time_sec 
| eval time_diff=E2E_time_sec-call_Duration_sec

 

 

Reply
Solved! Jump to solution

yeahnah
Motivator
‎04-11-2023 07:22 PM

Hi @monicateja 

I'm not sure how your raw events look but hopefully this run anywhere example helps you...

 

| makeresults
| eval _raw="call_Name,call_Duration
A,501
B,2456
C,1115
D,1598
E,1621"
| multikv forceheader=1
| eval E2E_time_sec="17.677"
  ``` above just creates dummy data ```
  ``` add the following to your search ``` 
| eval call_Duration_sec=(call_Duration/1000)  ``` convert milli seconds to seconds ```
| addcoltotals call_Duration_sec  ``` sum call durations ```
| table call_Name call_Duration_sec E2E_time_sec
| filldown E2E_time_sec
| eval time_diff_sec=(E2E_time_sec - call_Duration_sec)  ``` time diff call durations to E2E time ```

 

Hope this helps

 

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...