Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

duration of two consecutive log statement

firasarabo
Path Finder
‎08-23-2012 12:48 PM

Hi,

I tried to use "transaction" command but I couldn't get what I wanted, I thought to ask the question here if somebody can give hint/solution

so I do have an application that output logs as follows

2012-08-23 19:36:19,612 INFO THR_ID=729108133 some message

2012-08-23 19:36:21,612 INFO THR_ID=729108133 some message

2012-08-23 19:36:22,612 INFO THR_ID=729108133 some message

2012-08-23 19:36:25,612 INFO THR_ID=729108133 some message

etc

I would like to write a search that gives me the duration between each two logging lines for the saem THR_ID, so in this scenario I should see somthing like

Duration
2

1

3

any ideas how to accomplish this?

Thanks,
Firas

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-23-2012 12:58 PM

Sure,

I looks like you should check the delta command, and use it on the built-in _time field. Something like this.

your_search | sort THR_ID, _time| delta _time as t_diff | table t_diff, THR_ID, whatever_else_you_want_to_show_from_the_event

UPDATE: forgot that you'd need to sort on THR_ID in order to get correct results. Oops. Fixed that.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-23-2012 12:58 PM

Sure,

I looks like you should check the delta command, and use it on the built-in _time field. Something like this.

your_search | sort THR_ID, _time| delta _time as t_diff | table t_diff, THR_ID, whatever_else_you_want_to_show_from_the_event

UPDATE: forgot that you'd need to sort on THR_ID in order to get correct results. Oops. Fixed that.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

firasarabo
Path Finder
‎08-23-2012 01:34 PM

thanks, the delta will get me what I wanted.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-23-2012 01:07 PM

updated /k

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...