Solved: Subtract Search results

lokival · ‎08-20-2011

New to splunk - Using version 4.2.3, build 105575

I need to figure out how to subtract the time between two events so as to get a duration. My current search looks like this -

id_numer | search "MsgNo=0" OR "Hang Up"

Which gives me results like -

1 12/29/09 9:34:17.934 AM 12/29
09:34:17.934 2-11150042> Hang Up

2 12/29/09 9:29:51.043 AM 12/29
09:29:51.043 2-11150042> RCV:
SessNo=111, MsgNo=0, NextExp=0

How do I subtract these two results so I can get the time answer to

{time of first result) - (time of second result) = total time taken

That is -

9:34:17.934 - 9:29:51.043 = ?

Thanks,

ftk · ‎08-20-2011

Do these two events have a field in common? If so, you can use the transaction command to do all these calculations for you. It sounds like you have the id_number field in common. If that is the case, you can do something like the following:

[your search] | transaction id_number startswith="MsgNo=0" endswith="Hang Up"

this will give you the duration of the transaction in a field aptly named duration.

The transcations chapter in the docs is worth a read: http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Searchfortransactions

View solution in original post

deeboh · ‎04-16-2012

Hey guys I have a follow up question similar to this ask. I'm familiar with how transaction work, but i'm having fits trying to find or calculate the difference between duration events. Transaction groups "like" events, then sums the time within that event grouping. Ok, enough of a rehash of the manual.

My question is this. has someone come up with a way to find the duration "between" the durations? Here is my result set i'm working with. The ask is how do I get a running total of the difference 1 and 2, then 3 and 4. Of course i'll want to display this in my chart as well:D
Here's what I have so far -

1 [requested ] [ResumeIO Live]
[completed ] [ResumeIO Live]
duration=18

2 [requested ] [PauseIO Live]
[completed ] [PauseIO Live]
duration=17

3 [requested ] [ResumeIO Live]
[completed ] [ResumeIO Live]
duration=18

4 [requested ] [PauseIO Live]
[completed ] [PauseIO Live]
duration=17

Thanks in advance.

ftk · ‎08-20-2011

Do these two events have a field in common? If so, you can use the transaction command to do all these calculations for you. It sounds like you have the id_number field in common. If that is the case, you can do something like the following:

[your search] | transaction id_number startswith="MsgNo=0" endswith="Hang Up"

this will give you the duration of the transaction in a field aptly named duration.

The transcations chapter in the docs is worth a read: http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Searchfortransactions

lokival · ‎12-16-2011

Thanks, eventually figured our the ideal setting was 20m

acdevlin · ‎08-26-2011

Maxspan finds all transactions which fit into the desired time constraint. It is useful when you can guarantee a maximum time between your starting and ending events, but not if you don't know the maximum possible time.

You might want to play with "startswith" and "endswith" some more; you could even take out the "startswith", then try with the query as | transaction id_number endswith="Hang Up" just to see if you get any results.

lokival · ‎08-26-2011

Yes, the events have the id_number in common, but using the transaction command you describe returns 0 results.

Oddly, playing with the maxspan value (10m / 30m / 45m) gives results?

Subtract Search results

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!