Splunk Search

How to get the time duration between two scenarios?

New Member

Hey all,

I wanted to see if someone can help me out with this. Basically im trying to get a duration for the time in between 2 scenarios. Im trying to get how long it takes for each user to get from scenario_1 to scenario_2 by service. This is what I have so far and it seems to work when I do by individual service:

index=index_name (scenariotype="scenario_1" OR scenariotype="scenario_2") user_ID="*" service_name="*service_1*"
| transaction user_ID
| stats mean(duration) AS "Mean Duration(In Seconds)" by service_name

Stats table shows:

service_name         |       Mean Duration(In Seconds)
service_1                                   7.25

It returns a low number and when I manually checked the mean time by user_ID, it is correct.
However, when I want to get the mean duration for all services, I get a much higher number, especially for service_1 above. Keep in mind, I have 9 services Im trying to get numbers from. So basically when I run the following and dont specify a service_name or I include more than service name, i get much higher numbers for (exactly the same period of time) as the mean duration for each service(note service_1 is the same service as the above result but returning much higher number):

index=index_name (scenariotype="scenario_1" OR scenariotype="scenario_2") user_ID="*"
| transaction user_ID
| stats mean(duration) AS "Mean Duration(In Seconds)" by service_name    

Stats table shows:

service_name         |       Mean Duration(In Seconds)
service_1                                        189.57
service_2                                         5.75
service_3                                         5.75
service_4                                         1.35
service_5                                         6.25
service_6                                         10.40
service_7                                         4.53
service_8                                         8.78
service_9                                         6.72

Ive also experimented with looking further back in the time and the mean duration goes up as I go further back in time if i dont specify 1 service or include more than 1 service or include all services.

Hopefully I made sense and someone can help me with what am I doing wrong.

thx!!

0 Karma

SplunkTrust
SplunkTrust

Does something like this help for starters? Since you're always looking for UserID, I included it in the initial stats. Ultimately, my logic is trying to transform like-events to a singular view by using stats and grouping by some unique identifier. By using earliest and latest functions, we can calculate duration before calculating average. Stats is also less taxing if you're able to fit it in:

index=index_name (scenariotype="scenario_1" OR scenariotype="scenario_2") 
| stats earliest(_time) as start_time, 
latest(_time) as end_time, 
latest(userID) as userID 
by service_name, scenario_type
| eval duration = end_time-start_time

From there you can roll this up to more of a summary view with avg durations, etc.:

| stats avg(duration) as avg_duration count(userID) as user_id by service_name

You might need to play around with the second stats depending on how your data looks, but try this out for now and let me know how it looks.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!