Solved: calculate total duration

indeed_2000 · ‎11-15-2021

Hi

How can I calculate duration of below log:

2021-07-15 00:00:01,869 INFO CUS.AbCD-AppService1-1234567 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:01,988 INFO CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:11,714 INFO CUS.AbCD-AppService2-9876543 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:11,747 INFO CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]

2021-07-15 00:00:11,869 INFO CUS.AbCD-AppService1-1111111 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:11,988 INFO CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:15,714 INFO CUS.AbCD-AppService2-2222222 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:15,747 INFO CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]

Expected Output:
id duration
CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 9,878
CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 3,878

FYI:
9,878=(00:00:11,747)-(00:00:01,869)
3,878=(00:00:15,747)-(00:00:11,869)

Thanks,

ITWhisperer · ‎11-15-2021

| makeresults 
| eval _raw="2021-07-15 00:00:01,869 INFO CUS.AbCD-AppService1-1234567 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:01,988 INFO CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:11,714 INFO CUS.AbCD-AppService2-9876543 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:11,747 INFO CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]

2021-07-15 00:00:11,869 INFO CUS.AbCD-AppService1-1111111 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:11,988 INFO CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:15,714 INFO CUS.AbCD-AppService2-2222222 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:15,747 INFO CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]"
| multikv noheader=t
| eval _time=strptime(_raw,"%Y-%m-%d %H:%M:%S,%Q")
| fields _time _raw




| rex "INFO\s(?<txn>\S+)\s\S+\s(?<event>(Send|Receive))"
| eval mastertxn=if(event="Send",mvindex(split(txn,"_"),-1),null())
| eventstats latest(mastertxn) as mastertxn by txn
| stats earliest(_time) as start latest(_time) as end by mastertxn
| eval duration=(end-start)*1000

View solution in original post

ITWhisperer · ‎11-15-2021

| makeresults 
| eval _raw="2021-07-15 00:00:01,869 INFO CUS.AbCD-AppService1-1234567 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:01,988 INFO CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:11,714 INFO CUS.AbCD-AppService2-9876543 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:11,747 INFO CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]

2021-07-15 00:00:11,869 INFO CUS.AbCD-AppService1-1111111 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:11,988 INFO CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:15,714 INFO CUS.AbCD-AppService2-2222222 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:15,747 INFO CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]"
| multikv noheader=t
| eval _time=strptime(_raw,"%Y-%m-%d %H:%M:%S,%Q")
| fields _time _raw




| rex "INFO\s(?<txn>\S+)\s\S+\s(?<event>(Send|Receive))"
| eval mastertxn=if(event="Send",mvindex(split(txn,"_"),-1),null())
| eventstats latest(mastertxn) as mastertxn by txn
| stats earliest(_time) as start latest(_time) as end by mastertxn
| eval duration=(end-start)*1000

indeed_2000 · ‎11-15-2021

current output:

id duration
CUS.AbCD-AppService1-1234567 9878
CUS.AbCD-AppService1-1111111 3878

Expected Output:

id duration
CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 9,878
CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 3,878

Any idea?

Thanks

ITWhisperer · ‎11-15-2021

| stats latest(txn) as txn earliest(_time) as start latest(_time) as end by mastertxn

calculate total duration

fields

stats

table

transaction

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]