Response time

Als123 · ‎05-13-2021

Hi Team,

I am having a question regarding log details in Splunk.

1.How response time is generating in logs.?

2.From where it gets configured?

Als123 · ‎05-13-2021

@gcusello ,

Thank you. Got it now.

gcusello · ‎05-13-2021

HI @Als123,

what do you mean with "response time"?

in Splunk there are two timestamps:

_time: the timestamp of the event, extracted during indexing from the event with rules defined in props.conf,
_indextime: the timestamp associated to the event when the event is indexed by Splunk.

If instead you're speaking of a field in event (e.g. milliseconds from a web transactions) you have to extract it using a regex.

Ciao.

Giuseppe

Als123 · ‎05-14-2021

Hi @gcusello ,

In my logs, I couldn't able to see the response time of the transaction.How to get that one?Can you please help me?

gcusello · ‎05-14-2021

Hi @Als123,

this is a very generic question!

Anyway, if you can clearly identify your transactions (e.g. using a unique Transaction ID to group all the events of a transaction) you can use more solutions to calculate the duration of the transaction.

The easiest way, but not the more performant is the transaction command (see to https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Transaction ).

Otherway you can use the stats command, that's faster than the other, try somerhng like this:

Your_search
| stats earliest(_time) AS earliest latest(_time) AS latest BY transaction_ID
| eval duration=latest-earliest
| table transaction_ID duration

Ciao.

Giuseppe

Als123 · ‎05-14-2021

Hi @gcusello ,

Thank you.

gcusello · ‎05-14-2021

HI @Als123,

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Response time

search job inspector

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases