Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Set implied transaction start and end time if start or end events are missing

mahesh_ravji1
Explorer
‎07-13-2014 11:04 PM

Hi There,

We have some user activity logs with LOG_ON and LOG_OFF events in Splunk similar to following:

2014/07/13 13:00:00 User=UserA SessionId=cfe66c82-e983-4d4c-b654-84555b94c7c8 Event=LOG_OFF

2014/07/13 14:30:00 User=UserA SessionId=00ba16c5-928d-4845-88fd-dceb6f1eae8c Event=LOG_ON

2014/07/13 15:00:00 User=UserA SessionId=00ba16c5-928d-4845-88fd-dceb6f1eae8c Event=LOG_OFF

2014/07/13 20:00:00 User=UserA SessionId=378f9fb2-c21d-4ee5-b6c1-fa54d46eff3e Event=LOG_ON

I would like to calculate the total logged on time per day based on above data (i.e. time between LOG_ON and LOG_OFF events). The transaction command appears to be perfect for this requirement.

search | transaction SessionId startswith=(Event="LOG_ON") endswith=(Event="LOG_OFF") | table _time Event User SessionId duration

_time           Event   User        SessionId               duration

2014-07-13 13:00:00 LOG_OFF User=UserA  cfe66c82-e983-4d4c-b654-84555b94c7c8    0

2014-07-13 14:30:00 LOG_OFF User=UserA  00ba16c5-928d-4845-88fd-dceb6f1eae8c    1800.00

            LOG_ON
2014-07-13 20:00:00 LOG_ON  User=UserA  378f9fb2-c21d-4ee5-b6c1-fa54d46eff3e    0

However if the first event of a transaction is a LOG_OFF, I would like to assume start of transaction LOG_ON was at midnight 2014-07-13 00:00:00. Equally if the last event of a transaction is a LOG_ON, I would like to assume end of transaction LOG_OFF was at next midnight 2014-07-14 00:00:00.
So for the above data the total logged on time should be 13 hours + 30 mins + 4 hours = 17.5 hours.

Any help on how this can be achieved is most appreciated.

Thanks

Tags (1)
Reply

emiller42
Motivator
‎07-14-2014 09:52 AM

Put the following after your transaction:

| eval duration=if(eventcount==1, case(Event=="LOG_OFF", _time-relative_time(_time, "@d"), Event=="LOG_ON", relative_time(_time, "+1d@d")-_time), duration)

This does the following:

  • Checks if eventcount==1. If not, it uses the existing duration value.
  • If Event=="LOG_OFF" then it calculates the difference between the timestamp and the start of the day.
  • If Event=="LOG_ON" then it calculates the difference between the timestamp and the start of the next day.

That will allow transactions with a proper start/end to keep their transaction generated durations, while incomplete transactions will show durations according to your conditions. Then you should be able to do stats as expected.

Reply

emiller42
Motivator
‎07-31-2014 08:02 PM

Glad I could help! Can you mark the answer as accepted? (Click the checkmark) That way anyone finding this in search later knows it has a working solution.

Thanks!

0 Karma
Reply

mahesh_ravji1
Explorer
‎07-31-2014 07:36 PM

Thanks your answer solved my problem. I ended up using a slightly modified query as follows:

| eval duration=case(duration>0, duration, Event=="LOG_OFF", _time-relative_time(_time, "@d"), Event=="LOG_ON", relative_time(_time, "+1d@d")-_time)

0 Karma
Reply

datasearchninja
Communicator
‎07-14-2014 12:10 AM

How about this:

| eval startofday=strptime(strftime(_time, "%Y/%m/%d 00:00:00"), "%Y/%m/%d %H:%M:%S") | eval endofday=strptime(strftime(_time, "%Y/%m/%d 23:59:59"), "%Y/%m/%d %H:%M:%S") | eval new_duration=case(duration>0,duration,Event="LOG_ON",endofday-_time,Event="LOG_OFF",_time-startofday)
Reply

mahesh_ravji1
Explorer
‎07-31-2014 07:39 PM

Thanks your answer also helped. I combined your answer with the other answer and came up with:
| eval duration=case(duration>0, duration, Event=="LOG_OFF", _time-relative_time(_time, "@d"), Event=="LOG_ON", relative_time(_time, "+1d@d")-_time)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...