Splunk Search

Subtract Search results

lokival
Explorer

New to splunk - Using version 4.2.3, build 105575

I need to figure out how to subtract the time between two events so as to get a duration. My current search looks like this -

id_numer | search "MsgNo=0" OR "Hang Up"

Which gives me results like -

1 12/29/09 9:34:17.934 AM 12/29
09:34:17.934 2-11150042> Hang Up

2 12/29/09 9:29:51.043 AM 12/29
09:29:51.043 2-11150042> RCV:
SessNo=111, MsgNo=0, NextExp=0

How do I subtract these two results so I can get the time answer to

{time of first result) - (time of second result) = total time taken

That is -

9:34:17.934 - 9:29:51.043 = ?

Thanks,

Tags (4)
1 Solution

ftk
Motivator

Do these two events have a field in common? If so, you can use the transaction command to do all these calculations for you. It sounds like you have the id_number field in common. If that is the case, you can do something like the following:

[your search] | transaction id_number startswith="MsgNo=0" endswith="Hang Up"

this will give you the duration of the transaction in a field aptly named duration.

The transcations chapter in the docs is worth a read: http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Searchfortransactions

View solution in original post

deeboh
Path Finder

Hey guys I have a follow up question similar to this ask. I'm familiar with how transaction work, but i'm having fits trying to find or calculate the difference between duration events. Transaction groups "like" events, then sums the time within that event grouping. Ok, enough of a rehash of the manual.

My question is this. has someone come up with a way to find the duration "between" the durations? Here is my result set i'm working with. The ask is how do I get a running total of the difference 1 and 2, then 3 and 4. Of course i'll want to display this in my chart as well:D
Here's what I have so far -

eio | rex "(?i)] [(?P[^\ ]+)\s+] [(?P[^\ ]+)" | transaction stateio startswith="issuedio=PauseIO" endswith="issuedio=ResumeIO" | eval durationstr=tostring(duration,"duration")| rename durationstr as "PauseIO Durations" | table"PauseIO Durations", _time

1 [requested ] [ResumeIO Live]
[completed ] [ResumeIO Live]
duration=18

2 [requested ] [PauseIO Live]
[completed ] [PauseIO Live]
duration=17

3 [requested ] [ResumeIO Live]
[completed ] [ResumeIO Live]
duration=18

4 [requested ] [PauseIO Live]
[completed ] [PauseIO Live]
duration=17

Thanks in advance.

0 Karma

ftk
Motivator

Do these two events have a field in common? If so, you can use the transaction command to do all these calculations for you. It sounds like you have the id_number field in common. If that is the case, you can do something like the following:

[your search] | transaction id_number startswith="MsgNo=0" endswith="Hang Up"

this will give you the duration of the transaction in a field aptly named duration.

The transcations chapter in the docs is worth a read: http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Searchfortransactions

lokival
Explorer

Thanks, eventually figured our the ideal setting was 20m

0 Karma

acdevlin
Communicator

Maxspan finds all transactions which fit into the desired time constraint. It is useful when you can guarantee a maximum time between your starting and ending events, but not if you don't know the maximum possible time.

You might want to play with "startswith" and "endswith" some more; you could even take out the "startswith", then try with the query as | transaction id_number endswith="Hang Up" just to see if you get any results.

0 Karma

lokival
Explorer

Yes, the events have the id_number in common, but using the transaction command you describe returns 0 results.

Oddly, playing with the maxspan value (10m / 30m / 45m) gives results?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...