Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the duration in seconds from a multiline event?

icyfeverr
Path Finder
‎08-18-2015 11:49 AM

I am trying to find the best way to get the duration (in seconds) on a multiline event, possibly having it captured during indexing. I know I can use rex/field extractions and use the eval command at search-time, but was hoping for some more ideas.

Example:

--------------------[Start Session - 2015-08-18 10:47:27.000]-------------------
[2015-08-18 10:47:27.000][INFO]Attempting to connect...
[2015-08-18 10:47:27.000][INFO]Sending request
[2015-08-18 10:47:27.000][INFO]Retrieving response
[2015-08-18 10:47:29.000][INFO]Response size = 627 bytes
---------------------[End Session - 2015-08-18 10:47:29.000]--------------------

Duration = 2 (seconds)

Thanks in advance.

Tags (2)
0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-18-2015 01:51 PM

Well, your non-search-time options are really only index-time extractions - most likely, this isn't what you actually want.

You could edit props.conf to include an extraction of the time so its always extracted, then use a calculated field to automatically create the duration between the _time & the second time field. Is that an example of something you might be looking for ?

Reply

icyfeverr
Path Finder
‎08-18-2015 02:01 PM

Yes, that is a potential solution. I was really hoping there was a way to have the multiline event act like the transaction command and have it apply a duration field to the event upon index.

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-19-2015 08:54 AM

What necessitates it being at index time? Search time field exrtraction / creation isn't normally a bottleneck, especially if you're searching smart & using the fields command, etc.

Reply

icyfeverr
Path Finder
‎08-19-2015 08:59 AM

Ok, so utilizing the field extractions for the End Session time is all that would be needed then, since the start time is associated to Start Session time, then just use the eval to translate the string to an epoch time and then subtracting the two to get the second difference. I guess I will go with that, I was just trying to see if there was a different/better way of going about it. Thanks.

0 Karma
Reply

jensonthottian
Contributor
‎08-18-2015 01:21 PM

Transaction command finds transactions based on events that meet various constraints. Transactions are made up of the raw text (the _raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member.
Additionally, the transaction command produces two fields to the raw events, duration and eventcount. The duration value is the difference between the timestamps for the first and last events in the transaction.

| transaction startswith="Start Session" endswith="End Session"

Reply

icyfeverr
Path Finder
‎08-18-2015 01:46 PM

I appreciate the response, but the Transaction command can not be applied to a multi-line-event, as a multi-line-event is essentially, at least in this case, a "transaction" already. The text example you see above is a "single" event since it was indexed as a multi-line event.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...