Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- calculate total duration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
How can I calculate duration of below log:
2021-07-15 00:00:01,869 INFO CUS.AbCD-AppService1-1234567 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:01,988 INFO CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:11,714 INFO CUS.AbCD-AppService2-9876543 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:11,747 INFO CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]
2021-07-15 00:00:11,869 INFO CUS.AbCD-AppService1-1111111 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:11,988 INFO CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:15,714 INFO CUS.AbCD-AppService2-2222222 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:15,747 INFO CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]
Expected Output:
id duration
CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 9,878
CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 3,878
FYI:
9,878=(00:00:11,747)-(00:00:01,869)
3,878=(00:00:15,747)-(00:00:11,869)
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="2021-07-15 00:00:01,869 INFO CUS.AbCD-AppService1-1234567 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:01,988 INFO CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:11,714 INFO CUS.AbCD-AppService2-9876543 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:11,747 INFO CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]
2021-07-15 00:00:11,869 INFO CUS.AbCD-AppService1-1111111 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:11,988 INFO CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:15,714 INFO CUS.AbCD-AppService2-2222222 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:15,747 INFO CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]"
| multikv noheader=t
| eval _time=strptime(_raw,"%Y-%m-%d %H:%M:%S,%Q")
| fields _time _raw
| rex "INFO\s(?<txn>\S+)\s\S+\s(?<event>(Send|Receive))"
| eval mastertxn=if(event="Send",mvindex(split(txn,"_"),-1),null())
| eventstats latest(mastertxn) as mastertxn by txn
| stats earliest(_time) as start latest(_time) as end by mastertxn
| eval duration=(end-start)*1000- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="2021-07-15 00:00:01,869 INFO CUS.AbCD-AppService1-1234567 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:01,988 INFO CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:11,714 INFO CUS.AbCD-AppService2-9876543 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:11,747 INFO CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]
2021-07-15 00:00:11,869 INFO CUS.AbCD-AppService1-1111111 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:11,988 INFO CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:15,714 INFO CUS.AbCD-AppService2-2222222 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:15,747 INFO CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]"
| multikv noheader=t
| eval _time=strptime(_raw,"%Y-%m-%d %H:%M:%S,%Q")
| fields _time _raw
| rex "INFO\s(?<txn>\S+)\s\S+\s(?<event>(Send|Receive))"
| eval mastertxn=if(event="Send",mvindex(split(txn,"_"),-1),null())
| eventstats latest(mastertxn) as mastertxn by txn
| stats earliest(_time) as start latest(_time) as end by mastertxn
| eval duration=(end-start)*1000- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
current output:
id duration
CUS.AbCD-AppService1-1234567 9878
CUS.AbCD-AppService1-1111111 3878
Expected Output:
id duration
CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 9,878
CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 3,878
Any idea?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats latest(txn) as txn earliest(_time) as start latest(_time) as end by mastertxn
Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
