Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[help]Get the time duration within a specific start and end value?

cheriemilk
Path Finder
‎08-24-2021 01:42 AM

Hi team,

I have below data in splunk.

cheriemilk_2-1629794660001.png

 

And I want to get the time duration when below range.

ACT start with "AUTOSAVEFORM_trigReq_AutoSaveForm", and end with "AUTOSAVEFORM_after_sendReques"

I have tried below queries , but it doesn;t return the correct result.

Spoiler

index=*bizx_application AND sourcetype=perf_log_bizx AND PID="PM_REVIEW" AND PLV=EVENT AND ACT="AUTOSAVEFORM_*"  AND C_ACTV="*commentEdit*" OR ACT="*SendRequest"
|reverse
| transaction CMID SID UID startswith="AUTOSAVEFORM_trigReq_AutoSaveForm" endswith="AUTOSAVEFORM_after_sendRequest"
| table _time duration eventcount

 

Can anyone pease help provide a solution?

 

Labels (7)
0 Karma
Reply

cheriemilk
Path Finder
‎08-24-2021 11:07 PM

i get expected result by below query:

index=*bizx_application AND sourcetype=perf_log_bizx AND PID="PM_REVIEW" AND PLV=EVENT AND ACT="AUTOSAVEFORM_*"  AND C_ACTV="*commentEdit*" OR ACT="*SendRequest"

| sort _time CMID SID UID

| streamstats count(eval(ACT=="AUTOSAVEFORM_trigReq_AutoSaveForm")) as eventCounter by CMID SID UID ACT C_ACTV reset_after="ACT=AUTOSAVEFORM_trigReq_AutoSaveForm" reset_on_change=true

| table SN, CMN,CMID, CIP, _time, SID,UID, ACT, C_ACTV,eventCounter

| eval ACT=if(ACT=="AUTOSAVEFORM_trigReq_AutoSaveForm" AND C_ACTV=="{reason:commentEditChanged,immediate:false,timeInterval:5000}", ACT+eventCounter, ACT)

| sort - _time CMID SID UID

| transaction CMID SID UID startswith="ACT=AUTOSAVEFORM_trigReq_AutoSaveForm1" endswith="ACT=AUTOSAVEFORM_after_sendRequest"

| table _time CMN duration

| chart list(duration) as interval by _time, CMN

0 Karma
Reply

manjunathmeti
Champion
‎08-24-2021 01:57 AM

hi @cheriemilk,

You need to provide an eval/search expression to the startswith and endwith arguments.

index=*bizx_application AND sourcetype=perf_log_bizx AND PID="PM_REVIEW" AND PLV=EVENT AND ACT="AUTOSAVEFORM_*"  AND C_ACTV="*commentEdit*" OR ACT="*SendRequest"
| sort - _time, CMID, SID, UID
| transaction CMID SID UID startswith="ACT=AUTOSAVEFORM_trigReq_AutoSaveForm" endswith="ACT=AUTOSAVEFORM_after_sendRequest"
| table _time duration eventcount

  More details on here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction#Filter_string_option... 

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply

cheriemilk
Path Finder
‎08-24-2021 05:32 AM

Hi @manjunathmeti ,

Thank you for the solution. But I am wondering if the result based on your suggested query is right or not?

The obvious problematic data is for 'eventcount'. In my screenshot->the transaction blocked with red, there're 6 events totally, but the query result shows this transaction only has 3 events for eventcount field. Is this correct? Looks like, the transaction doesn't start with the first 'ACT=AUTOSAVEFORM_trigReq_AutoSaveForm'.

Thanks,

Cherie

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...