Splunk Search

Need Help to find duration of transaction

sanyonhhh
New Member

Query used:

index=[server]| transaction Extract startswith="Value Extract Starting." endswith="extraction completed."

Log Result:

1 » 10/4/13 11:39:58.000 PM

2013-10-04T19:39:58 Extract STATUS Value Extract Starting.

2013-10-04T19:40:02 Extract STATUS extraction completed.

2 » 10/4/13 11:10:15.000 PM

2013-10-04T19:10:15 Extract STATUS Value Extract Starting.

2013-10-04T19:10:21 Extract STATUS extraction completed.

Need to find the time difference in a transaction for start and end line. Time is present in both the lines.
Eg: From the first event i should get time differnce from 2013-10-04T19:39:58 and 2013-10-04T19:40:02 and should plot it as x-axis day and y-axis time difference.

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi sanyonhhh

the transaction command should provide you with a field called duration which is time in seconds for your transaction. But, it could be a floating point value for partial seconds if you have subseconds in your timestamps.

you can use eval to create a human readable time out of it like this

| eval myTime=tostring(duration,"duration")

hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi sanyonhhh

the transaction command should provide you with a field called duration which is time in seconds for your transaction. But, it could be a floating point value for partial seconds if you have subseconds in your timestamps.

you can use eval to create a human readable time out of it like this

| eval myTime=tostring(duration,"duration")

hope this helps ...

cheers, MuS

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!