Solved: calculate total duration

indeed_2000 · ‎11-15-2021

Hi

How can I calculate duration of below log:

2021-07-15 00:00:01,869 INFO CUS.AbCD-AppService1-1234567 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:01,988 INFO CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:11,714 INFO CUS.AbCD-AppService2-9876543 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:11,747 INFO CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]

2021-07-15 00:00:11,869 INFO CUS.AbCD-AppService1-1111111 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:11,988 INFO CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:15,714 INFO CUS.AbCD-AppService2-2222222 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:15,747 INFO CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]

Expected Output:
id duration
CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 9,878
CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 3,878

FYI:
9,878=(00:00:11,747)-(00:00:01,869)
3,878=(00:00:15,747)-(00:00:11,869)

Thanks,

ITWhisperer · ‎11-15-2021

| makeresults 
| eval _raw="2021-07-15 00:00:01,869 INFO CUS.AbCD-AppService1-1234567 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:01,988 INFO CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:11,714 INFO CUS.AbCD-AppService2-9876543 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:11,747 INFO CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]

2021-07-15 00:00:11,869 INFO CUS.AbCD-AppService1-1111111 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:11,988 INFO CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:15,714 INFO CUS.AbCD-AppService2-2222222 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:15,747 INFO CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]"
| multikv noheader=t
| eval _time=strptime(_raw,"%Y-%m-%d %H:%M:%S,%Q")
| fields _time _raw




| rex "INFO\s(?<txn>\S+)\s\S+\s(?<event>(Send|Receive))"
| eval mastertxn=if(event="Send",mvindex(split(txn,"_"),-1),null())
| eventstats latest(mastertxn) as mastertxn by txn
| stats earliest(_time) as start latest(_time) as end by mastertxn
| eval duration=(end-start)*1000

View solution in original post

ITWhisperer · ‎11-15-2021

| makeresults 
| eval _raw="2021-07-15 00:00:01,869 INFO CUS.AbCD-AppService1-1234567 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:01,988 INFO CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:11,714 INFO CUS.AbCD-AppService2-9876543 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:11,747 INFO CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]

2021-07-15 00:00:11,869 INFO CUS.AbCD-AppService1-1111111 [AppListener] Receive Packet[00*]: Kafka[AppService1.APP1]
2021-07-15 00:00:11,988 INFO CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [01*] to [APP1.APP2]
2021-07-15 00:00:15,714 INFO CUS.AbCD-AppService2-2222222 [AppListener] Receive Packet[02*]: Kafka[AppService2.APP1]
2021-07-15 00:00:15,747 INFO CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 [AppCheckManager] Send Packet [03*] to [APP1.AppService1]"
| multikv noheader=t
| eval _time=strptime(_raw,"%Y-%m-%d %H:%M:%S,%Q")
| fields _time _raw




| rex "INFO\s(?<txn>\S+)\s\S+\s(?<event>(Send|Receive))"
| eval mastertxn=if(event="Send",mvindex(split(txn,"_"),-1),null())
| eventstats latest(mastertxn) as mastertxn by txn
| stats earliest(_time) as start latest(_time) as end by mastertxn
| eval duration=(end-start)*1000

indeed_2000 · ‎11-15-2021

current output:

id duration
CUS.AbCD-AppService1-1234567 9878
CUS.AbCD-AppService1-1111111 3878

Expected Output:

id duration
CUS.AbCD-AppService2-9876543_CUS.AbCD-AppService1-1234567 9,878
CUS.AbCD-AppService2-2222222_CUS.AbCD-AppService1-1111111 3,878

Any idea?

Thanks

ITWhisperer · ‎11-15-2021

| stats latest(txn) as txn earliest(_time) as start latest(_time) as end by mastertxn

calculate total duration

fields

stats

table

transaction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation