Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[help]Get the time duration within a specific start and end value?

cheriemilk
Path Finder
‎08-24-2021 01:42 AM

Hi team,

I have below data in splunk.

cheriemilk_2-1629794660001.png

 

And I want to get the time duration when below range.

ACT start with "AUTOSAVEFORM_trigReq_AutoSaveForm", and end with "AUTOSAVEFORM_after_sendReques"

I have tried below queries , but it doesn;t return the correct result.

Spoiler

index=*bizx_application AND sourcetype=perf_log_bizx AND PID="PM_REVIEW" AND PLV=EVENT AND ACT="AUTOSAVEFORM_*"  AND C_ACTV="*commentEdit*" OR ACT="*SendRequest"
|reverse
| transaction CMID SID UID startswith="AUTOSAVEFORM_trigReq_AutoSaveForm" endswith="AUTOSAVEFORM_after_sendRequest"
| table _time duration eventcount

 

Can anyone pease help provide a solution?

 

Labels (7)
0 Karma
Reply

cheriemilk
Path Finder
‎08-24-2021 11:07 PM

i get expected result by below query:

index=*bizx_application AND sourcetype=perf_log_bizx AND PID="PM_REVIEW" AND PLV=EVENT AND ACT="AUTOSAVEFORM_*"  AND C_ACTV="*commentEdit*" OR ACT="*SendRequest"

| sort _time CMID SID UID

| streamstats count(eval(ACT=="AUTOSAVEFORM_trigReq_AutoSaveForm")) as eventCounter by CMID SID UID ACT C_ACTV reset_after="ACT=AUTOSAVEFORM_trigReq_AutoSaveForm" reset_on_change=true

| table SN, CMN,CMID, CIP, _time, SID,UID, ACT, C_ACTV,eventCounter

| eval ACT=if(ACT=="AUTOSAVEFORM_trigReq_AutoSaveForm" AND C_ACTV=="{reason:commentEditChanged,immediate:false,timeInterval:5000}", ACT+eventCounter, ACT)

| sort - _time CMID SID UID

| transaction CMID SID UID startswith="ACT=AUTOSAVEFORM_trigReq_AutoSaveForm1" endswith="ACT=AUTOSAVEFORM_after_sendRequest"

| table _time CMN duration

| chart list(duration) as interval by _time, CMN

0 Karma
Reply

manjunathmeti
Champion
‎08-24-2021 01:57 AM

hi @cheriemilk,

You need to provide an eval/search expression to the startswith and endwith arguments.

index=*bizx_application AND sourcetype=perf_log_bizx AND PID="PM_REVIEW" AND PLV=EVENT AND ACT="AUTOSAVEFORM_*"  AND C_ACTV="*commentEdit*" OR ACT="*SendRequest"
| sort - _time, CMID, SID, UID
| transaction CMID SID UID startswith="ACT=AUTOSAVEFORM_trigReq_AutoSaveForm" endswith="ACT=AUTOSAVEFORM_after_sendRequest"
| table _time duration eventcount

  More details on here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction#Filter_string_option... 

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply

cheriemilk
Path Finder
‎08-24-2021 05:32 AM

Hi @manjunathmeti ,

Thank you for the solution. But I am wondering if the result based on your suggested query is right or not?

The obvious problematic data is for 'eventcount'. In my screenshot->the transaction blocked with red, there're 6 events totally, but the query result shows this transaction only has 3 events for eventcount field. Is this correct? Looks like, the transaction doesn't start with the first 'ACT=AUTOSAVEFORM_trigReq_AutoSaveForm'.

Thanks,

Cherie

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...