Splunk Search

Need to Calculate Response Time matching Index ID between 2 lines in the search

lsanthoshbe
New Member

alt text

If look the below screen shot due to multiple calls in same time some time response takes a while and we need to match the ID and calculate difference
right now i am using the below query this works well if we have request and response comes next to each other

index=e1prd host=pite1bspd1 sourcetype=e1_npd_bssv PublishedMethod | transaction transid startswith="startPublishedMethod" endswith="finishPublishedMethod" | rename duration as Response_Time |table Instance_ID,Response_Time

Please advise
Thanks,
Santhosh

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

index=e1prd host=pite1bspd1 sourcetype=e1_npd_bssv *PublishedMethod*
| streamstats count(eval(searchmatch("finishPublishedMethod"))) AS sessionID BY instance_ID transid
| stats range(_time) AS Response_Time BY sessionID instance_ID transid

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try this:

index=e1prd host=pite1bspd1 sourcetype=e1_npd_bssv *PublishedMethod*
| streamstats count(eval(searchmatch("finishPublishedMethod"))) AS sessionID BY instance_ID transid
| stats range(_time) AS Response_Time BY sessionID instance_ID transid
0 Karma

lsanthoshbe
New Member

Excellent Gregg!! Thanks for you support !! i used this below query and looks like working now
i really appreciate your support

index=e1stg host=pite1bsqa2  *PublishedMethod*
| streamstats count(eval(searchmatch("finishPublishedMethod"))) AS sessionID BY Instance_ID_QA
| stats range(_time) AS Response_Time BY sessionID Instance_ID_QA
| table Instance_ID_QA,Response_Time
0 Karma

macadminrohit
Contributor

you can first try to convert your time to epoch using strptime and then use streamstats to group together both the events with the same id and then calculate the difference.

0 Karma

lsanthoshbe
New Member

if you can provide exact query / sample that would be great !!
Thanks for your help

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...