hey a little years late but I'm just wondering if you changed the timestamp into epoch time before using the transaction command?

Hi @sintjm ,

I’m a Community Moderator in the Splunk Community.

This question was posted 8 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you! 

hey a little years late but I'm just wondering if you changed the timestamp into epoch time before using the transaction command 

Where would the output (the difference) be located? It's running the search and showing results but I do not see the new field 'Difference' anywhere in my search

I have:
index=test | eval Difference=Response-Request

you should find a new field added to interesting fields on the left hand side called Difference

Yeah I see the 'Difference' field under Interesting fields but nothing is showing up when I click on it. Any suggestions?

I think @wpreston answer above is suitable as the events are separate

Are Response and Request in the same event or are they in separate events?

Separate events.. I have a web service call which has a request/response pair. So I extracted the time from the request field then I did a search for the response field and extracted the time from the response. So now I want to have a new field which holds the difference from the response and request

Ok if they are in separate events you will first need to link them together using either stats or transaction. If you post some sample events we can help with correlating them if you need it. After you've linked/correlated the events you can use eval to get the difference in Response and Request. As a generic example, something like this:

... search terms here ... | transaction startswith="Request" endswith="Response" maxevents=2 | eval Difference=Response-Request

Yeah each request/response pair has a unique identifier.. So if I have the request and I want to find the response I can input that identifier (called a GUID) into the search and I can see both the request and response. So would my search look something like this?

...| transaction GUID="FF79-I348-3847" startswith="Request" endswith="Response" maxevents=2 | eval Difference=Response-Request

Very close! You don't have to put a specific GUID into the transaction statement, you just have to tell transaction which field to use to correlate the events. It would be this:

...| transaction GUID startswith="Request" endswith="Response" maxevents=2 | eval Difference=Response-Request

It's still not working, it's returning "results not found". I'm thinking it may be something to do with the startswith and endswith. The startswith should have the first word of the event and the endswith should have the last word of the event right? Where would I see the 'Difference' (output)? Would it be where the other fields are?

It's still not working, it's returning
"results not found".

Is GUID an extracted field?

Yes I extracted the unique identifier (FF79-I348-3847) and named it GUID

From the docs:

startswith = A search or eval filtering expression which, if satisfied by an event, marks the beginning of a new transaction.
endswith = A search or eval filtering expression which, if satisfied by an event, marks the end of a transaction.

So startswith should be a string or eval expression that identifies an event as the start of a transaction, and endswith should be a string or eval expression that identifies an event as the end of a transaction. See the docs on transaction here.

Your new Difference field will be over in the left side of the screen with the rest of the fields.