Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Response time

Als123
Explorer
‎05-13-2021 09:25 PM

Hi Team,

I am having a question regarding log details in Splunk.

1.How response time is generating in logs.?

2.From where it gets configured?

Labels (1)
Labels
0 Karma
Reply

Als123
Explorer
‎05-13-2021 10:36 PM

@gcusello ,

Thank you. Got it now.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-13-2021 10:27 PM

HI @Als123,

what do you mean with "response time"?

in Splunk there are two timestamps:

  • _time: the timestamp of the event, extracted during indexing from the event with rules defined in props.conf,
  • _indextime: the timestamp associated to the event when the event is indexed by Splunk.

If instead you're speaking of a field in event (e.g. milliseconds from a web transactions) you have to extract it using a regex.

Ciao.

Giuseppe

Reply

Als123
Explorer
‎05-14-2021 06:18 AM

Hi @gcusello ,

In my logs, I couldn't able to see the response time of the transaction.How to get that one?Can you please help me?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-14-2021 06:26 AM

Hi @Als123,

this is a very generic question!

Anyway, if you can clearly identify your transactions (e.g. using a unique Transaction ID to group all the events of a transaction) you can use more solutions to calculate the duration of the transaction.

The easiest way, but not the more performant is the transaction command (see to https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Transaction ).

Otherway you can use the stats command, that's faster than the other, try somerhng like this:

Your_search
| stats earliest(_time) AS earliest latest(_time) AS latest BY transaction_ID
| eval duration=latest-earliest
| table transaction_ID duration

 Ciao.

Giuseppe

0 Karma
Reply

Als123
Explorer
‎05-14-2021 06:51 AM

Hi @gcusello ,

Thank you.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-14-2021 07:02 AM

HI @Als123,

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...