Splunk Search

Time difference between events | multiple events that are in chronological order

saikumarkomati
New Member

I have the following data, and i want to find the time difference between start and end of the request for SID, need to ignore the START with no END,

Note : in the below list Events (2,3), (4, 5), (10,11) are valid as they have start and end, the difference between these events is required
_time SID REQUEST
1 2019-12-20 11:21:15.172 1h2fedk08swv29uCA9dPCRF START
2 2019-12-20 11:21:27.656 1h2fedk08swv29uCA9dPCRF START
3 2019-12-20 11:21:28.225 1h2fedk08swv29uCA9dPCRF END
4 2019-12-20 11:21:29.000 1h2fedk08swv29uCA9dPCRF START
5 2019-12-20 11:21:29.225 1h2fedk08swv29uCA9dPCRF END
6 2019-12-20 09:20:19.066 1h36phbXqfL9hXYLtXaFWtu START
7 2019-12-20 12:48:58.103 3qdu69MDOqaZTQ1WFld-C1N START
8 2019-12-20 11:13:51.873 Ieh_KV2UcC5oMqW6GFaVe26 START
9 2019-12-20 11:13:57.982 Ieh_KV2UcC5oMqW6GFaVe26 START
10 2019-12-20 11:14:08.252 Ieh_KV2UcC5oMqW6GFaVe26 START
11 2019-12-20 11:14:08.913 Ieh_KV2UcC5oMqW6GFaVe26 END

0 Karma

to4kawa
SplunkTrust
SplunkTrust
| makeresults 
| eval _raw="No  time                    SID                    REQUEST           
 1  2019-12-20 11:21:15.172 1h2fedk08swv29uCA9dPCRF START
 2  2019-12-20 11:21:27.656 1h2fedk08swv29uCA9dPCRF START
 3  2019-12-20 11:21:28.225 1h2fedk08swv29uCA9dPCRF END
 4  2019-12-20 11:21:29.000 1h2fedk08swv29uCA9dPCRF START
 5  2019-12-20 11:21:29.225 1h2fedk08swv29uCA9dPCRF END
 6  2019-12-20 09:20:19.066 1h36phbXqfL9hXYLtXaFWtu START
 7  2019-12-20 12:48:58.103 3qdu69MDOqaZTQ1WFld-C1N START
 8  2019-12-20 11:13:51.873 Ieh_KV2UcC5oMqW6GFaVe26 START
 9  2019-12-20 11:13:57.982 Ieh_KV2UcC5oMqW6GFaVe26 START
 10 2019-12-20 11:14:08.252 Ieh_KV2UcC5oMqW6GFaVe26 START
 11 2019-12-20 11:14:08.913 Ieh_KV2UcC5oMqW6GFaVe26 END" 
| multikv forceheader=1 
| eval _time=strptime(time,"%F %T.%q") 
| table _time SID REQUEST 

| rename COMMENT AS "this is sample data you provide") 

| rename COMMENT AS "From here, the logic" 

| streamstats count(eval(REQUEST="START")) as session 
| stats earliest(_time) as start latest(_time) as end range(_time) as duration count(session) as flag by session SID 
| eval start=strftime(start,"%F %T.%3q"), end=strftime(end,"%F %T.%3q") 
| where flag > 1 
| table SID start end duration

If the volume of logs is large and transaction is heavy, try this.

0 Karma

saikumarkomati
New Member

Thanks for the response, solution provided is appropriate, appreciate your supports

0 Karma

to4kawa
SplunkTrust
SplunkTrust

hi, @saikumarkomati
Please accept the answer and close question.

0 Karma

bshuler_splunk
Splunk Employee
Splunk Employee

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

Try something like

|transaction SID startswith=START endswith=END

the duration is the time difference

0 Karma