Splunk Search

How to create a search for response time to be calculated?

VijaySrrie
Builder

I have 2 events

1) request event

2) response event

I need response time to be calculated (i.e) request event time - response event time.

How to construct the query?

Labels (3)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

if you have a key (e.g. host or transaction_key) to correlate events you can use the following:

your_search
| stats earliest(_time) AS request latest(_time) AS response BY key
| eval duration=response-request

if you haven't a correlation key, you can use the thansaction command that's slower than the previous and there's the problem is you have more request or response times:

your_search
| transaction startswith="request" endswith="response"
| table _time duration

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

if you have a key (e.g. host or transaction_key) to correlate events you can use the following:

your_search
| stats earliest(_time) AS request latest(_time) AS response BY key
| eval duration=response-request

if you haven't a correlation key, you can use the thansaction command that's slower than the previous and there's the problem is you have more request or response times:

your_search
| transaction startswith="request" endswith="response"
| table _time duration

Ciao.

Giuseppe

BT
Path Finder

Hi,

 

I have the same issue where i have to calculate the total duration between request and response. the above query works but duration is not being calculated, or displayed  when i run the query :

search query |  stats earliest(dateTime) AS request latest(dateTime) AS response BY TransactionID | eval duration=response- request 

 

result for above query :

TransactionID                                                                          Request                                              Response

000877d43ef8778123243454bda780c5e5     2022-05-05 01:36:12.916      2022-05-05 01:36:13.27

Please help

0 Karma

VijaySrrie
Builder

vijaysri_0-1617092225166.png

 

In most cases the request and response time is same, so, I should get the result as "0" but I am getting wrong results.

0 Karma

VijaySrrie
Builder

The response_time produced will be in seconds or milliseconds?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

epochtime is expressed in second, so the difference will be in seconds.

Ciao.

Giuseppe

0 Karma

BT
Path Finder

I have the same issue where i have to calculate the total duration between request and response. the above query works but duration is not being calculated, or displayed  when i run the query :

search query |  stats earliest(dateTime) AS request latest(dateTime) AS response BY TransactionID | eval duration=response- request 

 

result for above query :

TransactionID                                                                          Request                                              Response

000877d43ef8778123243454bda780c5e5     2022-05-05 01:36:12.916      2022-05-05 01:36:13.27

Please help

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...