- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get timing data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get timing data
If I do index=whatever, I get something that looks like this:
2017-05-24T13:46:08Z|pegawifiview1495761514|8501114746901|G67BW48BD601389|None|viewDeviceWiFiNetworks_getResult|{"transactionid": "pegawifiview1495761514", "ticketid": 53400535}|{"request": {"method": "viewDeviceWiFiNetworks_getResult", "arguments": {"transactionid": "pegawifiview1495761514", "ticketid": 53400535}}, "response": {"status_code": "200", "status_message": "OK", "ticket_id": "" .......
There are many events, and some with the same ticketid.
What I need to do is this: for each ticketid, determine how much time passed between each step.
For example, if I put a particular ticketid in the search field, I get the following two events:
2017-05-24T13:46:08Z|2017-05-24 13:45:59.921|1001000175904|b01041e6fafe|None|viewDeviceConnectedClients_getResult|{"transactionid": "2017-05-24 13:45:59.921", "ticketid": 53400657}|{"request": {"method": "viewDeviceConnectedClients_getResult", "arguments": {"transactionid": "2017-05-24 13:45:59.921", "ticketid": 53400657}}, "response": {"status_code": "200", "status_message": "OK", "ticket_id": "", "result": [{"macAddress": "2C:AE:2B:49:C2:86", "percentBWUtilization": "0", "signalStrength": -39, "connectedIdentifier": "2CAE2B49C286", "connectionType": "802.11", "activeDevice": 1, "deviceType": "Samsung Electronics Co.,Ltd", "networkIdentifier": "32", "deviceName": "android-9b9a1ce0ea0aeff1", "ipAddress": "192.168.0.28"}, {"macAddress": "24:0D:C2:AA:F5:BF", "percentBWUtilization": "0", "signalStrength": -59, "connectedIdentifier": "240DC2AAF5BF", "connectionType": "802.11", "activeDevice": 1, "deviceType": "", "networkIdentifier": "32", "deviceName": "android-2315ceb08818ecac", "ipAddress": "192.168.0.27"}, {"macAddress": "B0:10:41:E6:FB:00", "percentBWUtilization": "0", "signalStrength": 1, "connectedIdentifier": "B01041E6FB00", "connectionType": "Ethernet", "activeDevice": 0, "deviceType": "Hon Hai Precision Ind. Co.,Ltd.", "networkIdentifier": 0, "deviceName": "", "ipAddress": "192.168.0.10"}, {"macAddress": "24:0D:C2:F2:3C:FD", "percentBWUtilization": "0", "signalStrength": -41, "connectedIdentifier": "240DC2F23CFD", "connectionType": "802.11", "activeDevice": 1, "deviceType": "", "networkIdentifier": "32", "deviceName": "android-99f3d41f675c5616", "ipAddress": "192.168.0.26"}]}}
2017-05-24T13:46:00Z|2017-05-24 13:45:59.921|1001000175904|b01041e6fafe|None|viewDeviceConnectedClients|{"transactionid": "2017-05-24 13:45:59.921", "singleCPEidentifier": {"cpeid": "b01041e6fafe"}}|{"request": {"method": "viewDeviceConnectedClients", "arguments": {"transactionid": "2017-05-24 13:45:59.921", "singleCPEidentifier": {"cpeid": "b01041e6fafe"}}}, "response": {"status_code": "200", "status_message": "OK", "ticket_id": "53400657", "result": ""}}
I can see from the timestamps that it took 8 seconds.
And there may be more than 2 events for a given ticket ID. So I would need the total time. And I need it for every ticket ID in a general search.
I am new to splunk and I have no idea how to do this. I have been searching and trying some things, but I am pretty lost. Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An alternative could be to use the transaction SPL command. In the link it states
the transaction command adds two fields to the raw events, duration and eventcount. The values in the duration field show the difference between the timestamps for the first and last events in the transaction. The values in the eventcount field show the number of events in the transaction.
So as starting point you could try
index=whatever sourcetype=whichever
| transaction ticketid
| table ticketid duration eventcount
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=whatever sourcetype=whichever
| rename COMMENT as "Add below line if ticketid is not extracted, else remove"
| rex "ticketid\"\:\s*(?<ticketid>\d+)"
| table _time ticketid ...add other fields that you want to show..
| reverse
| streamstats values(_time) as prevtime by ticketid
| eval step_duration=prevtime-_time
| eventstats sum(step_duration) as total_durationo by ticketid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice. But _time is shown similar to this: 2017-05-24 12:55:24 , and prevtime is shown similar to this: 1495644925. So step_duration and total_dutation are always 0.
I tried eval step_duration=prevtime-values(_time), but it didn't work.
Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
Take Your Breath Away with Splunk Risk-Based Alerting (RBA)
