Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search the time difference between transact...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatkar
Path Finder
06-22-2016
07:34 AM
I have three statements in my log file for each transaction like below:
index=abc* source="abc.log" 2410286283_b310-3358a1229709 INFO
22/Jun/2016 13:52:21.318 [ Thread-2 ] INFO : ResponsePoll - [STEP_ID = checkStatus ]{ message = "Status from server" , messageId = 2410286283_b310-3358a1229709, ResponseStatus = SUCCESS }
22/Jun/2016 13:52:20.957 [ cacher-0 ] INFO : cacher - Cached [AppResponse{messageId='2410286283_b310-3358a1229709', responseSubscriberName='client01'}]
22/Jun/2016 13:52:05.191 [ sender-3 ] INFO : MessageService - [RequestStatus=Sent, Request=SuperVO{sessionId='2410286283_b310-3358a1229709', responseSubscriberName='client01'}]
I need to calculate the time between the statements having keyword ResponseStatus = SUCCESS and RequestStatus=Sent for each of the ID's like 2410286283_b310-3358a1229709.
In the above case, I should get a result as:
2410286283_b310-3358a1229709 00:00:16:127
I would like to do this for various ID's in my logs through Splunk.
Due to different naming standards followed in request & response for the ID, I am unable to think of a way to do this.
Any insights or help appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-22-2016
11:48 AM
Try this
index=abc* source="abc.log" ResponseStatus="SUCCESS" OR ResponseStatus="Sent" | eval sid=coalesce(sessionId, messageId) | streamstats window=1 current=f earliest(_time) as start by sid | eval duration=tostring(_time-start, "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-22-2016
11:48 AM
Try this
index=abc* source="abc.log" ResponseStatus="SUCCESS" OR ResponseStatus="Sent" | eval sid=coalesce(sessionId, messageId) | streamstats window=1 current=f earliest(_time) as start by sid | eval duration=tostring(_time-start, "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatkar
Path Finder
06-22-2016
09:59 PM
@sundareshr : Thanks for your help ! I slightly modified your answer & got it to work
index=abc* source="abc.log" "ResponseStatus = SUCCESS" OR "RequestStatus=Sent" | eval sid=coalesce(replace(sessionId,"'",""), messageId) | stats range(_time) as duration by sid
Get Updates on the Splunk Community!
Infographic provides the TL;DR for the 2024 Splunk Career Impact Report
We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
