Solved: Measuring time difference between 2 entries

Silah · ‎06-13-2024

Hi

I am getting a log feed for a transactional system. Each log entry has a status either End, Begin or something in between (but for this I don't care about the in between) and a UUID to mark that they belong to the same transaction.

I am struggling to write a search query that essentially subtracts the _time from the BEGIN entry ud UUID123, from the _time from the END entry with the same UUID. Obviously, my goal is to get the time it took the transaction to complete but I am not sure how to compare fields in two entries with the same UUID.

Any ideas ?

Thanks

gcusello · ‎06-13-2024

Hi @Silah ,

I saw your second messge only after my answer, plese try this:

Let me understand: what's the value of status in Begin and End events?

You have to check these conditions in the evals:

index=your_index status IN ("Begin", "End")
| stats
     earliest(eval(if(status="Begin",_time,""))) AS Begin_time
     latest(eval(if(status="End",_time,""))) AS End_time
     BY UUID
| eval diff=End_time-Begin_time
| table UUID diff

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-13-2024

Hi @Silah ,

you could try to run something like this:

index=your_index status IN (Begin, End)
| stats
     earliest(eval(status="Begin")) AS Begin_time
     latest(eval(status="End")) AS End_time
     BY UUID
| eval diff=End_time-Start_time
| table UUID diff

then you can manage the incomplete conditions: e.g. there's only one event (Start or End)

Ciao.

Giuseppe

Silah · ‎06-13-2024

Hi @gcusello

Thank you, this gets me started.

I assume that

| eval diff=End_time-Start_time

should actually be

| eval diff=End_time-Begin_time

as it is called Begin_time in the earliest eval of the Begin event in the Stats part

It does sort of work, My search query is identifying 4000 events and the table lists out 2000 by their UUID, so it has accurately identified that there is a Begin and End pair for each UUID, however the "diff" field of the table is blank for all of them.

When I check the field, the value of diff is "null".

gcusello · ‎06-13-2024

Hi @Silah ,

yes, it was a mistake!

index=your_index status IN ("Begin", "End")
| stats
     earliest(eval(status="Begin")) AS Begin_time
     latest(eval(status="End")) AS End_time
     BY UUID
| eval diff=End_time-Begin_time
| table UUID diff

anyway, you ha ve to separately check the two conditions (status="Begin" and status="End") to verify that you have in those events the status and UUID fields.

You can also add to the final table command also the Begin_time and End_time fields to see if they are present or not.

Remember to use always quotes in the eval commands.

Ciao.

Giuseppe

Silah · ‎06-13-2024

Sorry I should have added that I tried listing the begin_time and end_time in the table also, and both values are simply "True" and not a time stamp

gcusello · ‎06-13-2024

Hi @Silah ,

I saw your second messge only after my answer, plese try this:

Let me understand: what's the value of status in Begin and End events?

You have to check these conditions in the evals:

index=your_index status IN ("Begin", "End")
| stats
     earliest(eval(if(status="Begin",_time,""))) AS Begin_time
     latest(eval(if(status="End",_time,""))) AS End_time
     BY UUID
| eval diff=End_time-Begin_time
| table UUID diff

Ciao.

Giuseppe

Silah · ‎06-13-2024

This worked perfectly. Thanks @gcusello really appreciate your help.

gcusello · ‎06-13-2024

Hi @Silah

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Measuring time difference between 2 entries

stats

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)