Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[help]Get the time duration within a specific start and end value?

cheriemilk
Path Finder
‎08-24-2021 01:42 AM

Hi team,

I have below data in splunk.

cheriemilk_2-1629794660001.png

 

And I want to get the time duration when below range.

ACT start with "AUTOSAVEFORM_trigReq_AutoSaveForm", and end with "AUTOSAVEFORM_after_sendReques"

I have tried below queries , but it doesn;t return the correct result.

Spoiler

index=*bizx_application AND sourcetype=perf_log_bizx AND PID="PM_REVIEW" AND PLV=EVENT AND ACT="AUTOSAVEFORM_*"  AND C_ACTV="*commentEdit*" OR ACT="*SendRequest"
|reverse
| transaction CMID SID UID startswith="AUTOSAVEFORM_trigReq_AutoSaveForm" endswith="AUTOSAVEFORM_after_sendRequest"
| table _time duration eventcount

 

Can anyone pease help provide a solution?

 

Labels (7)
0 Karma
Reply

cheriemilk
Path Finder
‎08-24-2021 11:07 PM

i get expected result by below query:

index=*bizx_application AND sourcetype=perf_log_bizx AND PID="PM_REVIEW" AND PLV=EVENT AND ACT="AUTOSAVEFORM_*"  AND C_ACTV="*commentEdit*" OR ACT="*SendRequest"

| sort _time CMID SID UID

| streamstats count(eval(ACT=="AUTOSAVEFORM_trigReq_AutoSaveForm")) as eventCounter by CMID SID UID ACT C_ACTV reset_after="ACT=AUTOSAVEFORM_trigReq_AutoSaveForm" reset_on_change=true

| table SN, CMN,CMID, CIP, _time, SID,UID, ACT, C_ACTV,eventCounter

| eval ACT=if(ACT=="AUTOSAVEFORM_trigReq_AutoSaveForm" AND C_ACTV=="{reason:commentEditChanged,immediate:false,timeInterval:5000}", ACT+eventCounter, ACT)

| sort - _time CMID SID UID

| transaction CMID SID UID startswith="ACT=AUTOSAVEFORM_trigReq_AutoSaveForm1" endswith="ACT=AUTOSAVEFORM_after_sendRequest"

| table _time CMN duration

| chart list(duration) as interval by _time, CMN

0 Karma
Reply

manjunathmeti
Champion
‎08-24-2021 01:57 AM

hi @cheriemilk,

You need to provide an eval/search expression to the startswith and endwith arguments.

index=*bizx_application AND sourcetype=perf_log_bizx AND PID="PM_REVIEW" AND PLV=EVENT AND ACT="AUTOSAVEFORM_*"  AND C_ACTV="*commentEdit*" OR ACT="*SendRequest"
| sort - _time, CMID, SID, UID
| transaction CMID SID UID startswith="ACT=AUTOSAVEFORM_trigReq_AutoSaveForm" endswith="ACT=AUTOSAVEFORM_after_sendRequest"
| table _time duration eventcount

  More details on here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction#Filter_string_option... 

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply

cheriemilk
Path Finder
‎08-24-2021 05:32 AM

Hi @manjunathmeti ,

Thank you for the solution. But I am wondering if the result based on your suggested query is right or not?

The obvious problematic data is for 'eventcount'. In my screenshot->the transaction blocked with red, there're 6 events totally, but the query result shows this transaction only has 3 events for eventcount field. Is this correct? Looks like, the transaction doesn't start with the first 'ACT=AUTOSAVEFORM_trigReq_AutoSaveForm'.

Thanks,

Cherie

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...