Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract two timestamps per logEvevtType?

user33
Path Finder
‎01-22-2023 07:17 PM

Hello, apologies if this was stated previously. I have multiple calls - each RequestID with a RequestReceive and ResponseTransmit. I am trying to find the difference between the two timestamps below. The difference of ResponseTransmit timestamp and RequestReceive timestamp. Then put that into a stats command ordered by clientPathURI and then the difference between the timestamps.

Any assistance is much appreciated!

 

[-]
   RequestIDb74fab20-9a7b-11ed-bd70-c503548afa99
   clientPathURIsignup
   levelInfo
   logEventTypeResponseTransmit
   timestamp2023-01-22T12:43:57.547-05:00
}

 

[-]
   RequestIDb74fab20-9a7b-11ed-bd70-c503548afa99
   clientPathURIsignup
   }
   levelInfo
   logEventTypeRequestReceive
   timestamp2023-01-22T12:43:57.496-05:00
}

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-23-2023 03:16 PM

You can do all that in the last stats command, so do this

| bin _time span=1d
| eval ts=strptime(timestamp, "%FT%T.%Q-%:z")
| stats min(ts) as mints max(ts) as maxts by _time clientPathURI RequestID
| eval duration=maxts-mints
| stats count as Calls perc95(duration) as p95Duration by _time clientPathURI

so this is doing

  • line 1 - creates a time bucket to calculate statistics by day
  • line 2 - converts timestamp to epoch
  • line 3 - calculates min/max timestamp by URI and Request
  • line 4 - calculates duration
  • line 5 - counts the calls, 95th percentile of duration by day and URI

Some caveats here

  • If you don't have both request/response for each call, then duration will be 0 for that, as min/max are the same
  • If a call goes over midnight, you will get 1 call with duration 0 on each day for the same RequestID

If relevant, you may want to consider error/failure status in these if they are significant and if they affect the duration in a meaningful way.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-22-2023 07:53 PM

Assuming the "}" in the second block is not really there and the fields from the event are extracted as per their JSON names, then this will aggregate min/max timestamps and calculated duration

| eval ts=strptime(timestamp, "%FT%T.%Q-%:z")
| stats min(ts) as mints max(ts) as maxts by clientPathURI RequestID
| eval duration=maxts-mints

then if you want to aggregate based on the clientPathURI only, do another stats, e.g.

| stats avg(duration) as avgDuration by clientPathURI
0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎01-23-2023 05:33 AM

as a follow up, each "transaction" or "call" has one RequestID. Each RequestID with two timnestamps, one Request and one Response. Something like the below? Any assistance is appreciated.

DateClientPathURINumber of calls95thpercentile of Duration
    
    
0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎01-23-2023 05:30 AM

Thank you, that is a huge help. Question, if I had multiple calls, how do I get the SPL to subtract timestamp by RequestID? I don't need the RequestID in the stats, but want the SPL to capture the difference in timestamps per call. And then take the 95th percentile of that call per day?

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-23-2023 03:16 PM

You can do all that in the last stats command, so do this

| bin _time span=1d
| eval ts=strptime(timestamp, "%FT%T.%Q-%:z")
| stats min(ts) as mints max(ts) as maxts by _time clientPathURI RequestID
| eval duration=maxts-mints
| stats count as Calls perc95(duration) as p95Duration by _time clientPathURI

so this is doing

  • line 1 - creates a time bucket to calculate statistics by day
  • line 2 - converts timestamp to epoch
  • line 3 - calculates min/max timestamp by URI and Request
  • line 4 - calculates duration
  • line 5 - counts the calls, 95th percentile of duration by day and URI

Some caveats here

  • If you don't have both request/response for each call, then duration will be 0 for that, as min/max are the same
  • If a call goes over midnight, you will get 1 call with duration 0 on each day for the same RequestID

If relevant, you may want to consider error/failure status in these if they are significant and if they affect the duration in a meaningful way.

 

0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎01-24-2023 09:47 AM

Awesome! Excellent insights!! This solution worked out great. I will take a look at failures as well. Thank you very much for this!!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...