Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

query for transactions or grouping events

splunk_ier
Engager
‎03-11-2021 08:49 PM

Hi Team,

I have the below logs in splunk and i'm looking for query to get the time taken to compete the run by each bot for each scheduled run(Run bot deployed is the start of the bot and Run bot finished is the end of the bot).A bot can run more than once in a day and need average run time as well.I tried using transaction command but not getting desired results.

Thanks for the help

11/03/2021 22:22:20.600 STATUS=Successful,ACTIVITY AT=2021-03-11T22:22:19Z,ACTION TYPE=Run bot finished,ITEM NAME=fin_bot
11/03/2021 22:00:27.000 STATUS=Successful,ACTIVITY AT=2021-03-11T22:00:26Z,ACTION TYPE=Run bot Deployed,ITEM NAME=fin_bot
11/03/2021 15:20:04.400 STATUS=Successful,ACTIVITY AT=2021-03-11T15:20:04Z,ACTION TYPE=Run bot finished,ITEM NAME=fin_bot
11/03/2021 15:00:23.000 STATUS=Successful,ACTIVITY AT=2021-03-11T15:00:22Z,ACTION TYPE=Run bot Deployed,ITEM NAME=fin_bot
12/03/2021 04:02:15.800 STATUS=Successful,ACTIVITY AT=2021-03-12T04:02:14Z,ACTION TYPE=Run bot finished,ITEM NAME=tax_bot
12/03/2021 04:00:23.780 STATUS=Successful,ACTIVITY AT=2021-03-12T04:00:23Z,ACTION TYPE=Run bot Deployed,ITEM NAME=tax_bot

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-11-2021 10:31 PM

hi @splunk_ier,

Use transaction command with satrtwith and endswith options like below:

index=INDEX sourcetype=sourcetype
| transaction startswith="Run bot Deployed" endswith="Run bot finished" 
| table _raw, duration, eventcount

For calculating average of duration extract field "ITEM NAME" if it does not exist and use stats.

index=INDEX sourcetype=sourcetype
| rex "ITEM NAME=(?<ITEM_NAME>[^,]+)$" 
| transaction startswith="Run bot Deployed" endswith="Run bot finished" 
| stats avg(duration) as avg_duration_sec by ITEM_NAME

 

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-11-2021 10:31 PM

hi @splunk_ier,

Use transaction command with satrtwith and endswith options like below:

index=INDEX sourcetype=sourcetype
| transaction startswith="Run bot Deployed" endswith="Run bot finished" 
| table _raw, duration, eventcount

For calculating average of duration extract field "ITEM NAME" if it does not exist and use stats.

index=INDEX sourcetype=sourcetype
| rex "ITEM NAME=(?<ITEM_NAME>[^,]+)$" 
| transaction startswith="Run bot Deployed" endswith="Run bot finished" 
| stats avg(duration) as avg_duration_sec by ITEM_NAME

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...