- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- rex to extract duration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
How can I extract duration with below condition? (it is important to check these condition to find correct match)
1)A=A+10
2)B=B
FYI: AFAIK stat command is faster than transaction command. I want to extract duration in large dataset.
Here is the log:
2022-01-17 00:14:19,600 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Normal Packet Received: A[000] B[9999] C[000000]
2022-01-17 00:14:20,622 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Packet Processed: A[010] B[9999]
2022-01-17 16:50:48,383 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Normal Packet Received: A[900] B[33322]
2022-01-17 16:50:48,414 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Packet Processed: A[910] B[33322] C[000000]
expected output:
name duration
CUS.AbCD-APP1-12345 1.022
CUS.AbCD-APP1-54321 0.031
Any idea?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your dataset is consistent with the examples you've provided and that the start of the transaction begins with "Normal Packet Received".
Approach
- Set new variable "matched_value" = A or A+10 depending whether the event is start or end of a transaction.
- Use stats to group the event_id, matched_value, and B
| makeresults
| eval event_string="2022-01-17 00:14:19,600 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Normal Packet Received: A[000] B[9999] C[000000];2022-01-17 00:14:20,622 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Packet Processed: A[010] B[9999];2022-01-17 16:50:48,383 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Normal Packet Received: A[900] B[33322];2022-01-17 16:50:48,414 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Packet Processed: A[910] B[33322] C[000000]"
| eval event_string=split(event_string, ";")
| mvexpand event_string
| rex field=event_string "^(?<event_time>[\d\-\s\:\,]*)\s\w+\s(?<event_id>[^\s]*)\s\[(?<event_status>[^\]]*)\]\s(?<event_type>[^\:]*)\:\sA\[(?<A>\d+)\]\sB\[(?<B>\d+)"
| eval _time=strptime(event_time, "%Y-%m-%d %H:%M:%S,%3N")
| eval matched_value=tonumber(A) | eval matched_value=CASE(event_type=="Normal Packet Received", matched_value+10, event_type=="Packet Processed", matched_value)
| table _time event_id event_status event_type event_string A B matched_value
| stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration values(A) AS A BY event_id B matched_value
| eval start_time=strftime(start_time, "%Y-%m-%d %H:%M:%S.%3N")
| eval end_time=strftime(end_time, "%Y-%m-%d %H:%M:%S.%3N")
| eval duration_secs=ROUND(duration, 3)
| table start_time end_time event_id duration_secs A B matched_value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your dataset is consistent with the examples you've provided and that the start of the transaction begins with "Normal Packet Received".
Approach
- Set new variable "matched_value" = A or A+10 depending whether the event is start or end of a transaction.
- Use stats to group the event_id, matched_value, and B
| makeresults
| eval event_string="2022-01-17 00:14:19,600 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Normal Packet Received: A[000] B[9999] C[000000];2022-01-17 00:14:20,622 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Packet Processed: A[010] B[9999];2022-01-17 16:50:48,383 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Normal Packet Received: A[900] B[33322];2022-01-17 16:50:48,414 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Packet Processed: A[910] B[33322] C[000000]"
| eval event_string=split(event_string, ";")
| mvexpand event_string
| rex field=event_string "^(?<event_time>[\d\-\s\:\,]*)\s\w+\s(?<event_id>[^\s]*)\s\[(?<event_status>[^\]]*)\]\s(?<event_type>[^\:]*)\:\sA\[(?<A>\d+)\]\sB\[(?<B>\d+)"
| eval _time=strptime(event_time, "%Y-%m-%d %H:%M:%S,%3N")
| eval matched_value=tonumber(A) | eval matched_value=CASE(event_type=="Normal Packet Received", matched_value+10, event_type=="Packet Processed", matched_value)
| table _time event_id event_status event_type event_string A B matched_value
| stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration values(A) AS A BY event_id B matched_value
| eval start_time=strftime(start_time, "%Y-%m-%d %H:%M:%S.%3N")
| eval end_time=strftime(end_time, "%Y-%m-%d %H:%M:%S.%3N")
| eval duration_secs=ROUND(duration, 3)
| table start_time end_time event_id duration_secs A B matched_value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try modifying the solution you accepted last year!
https://community.splunk.com/t5/Splunk-Search/calculate-duration/m-p/571642/highlight/true#M199202
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reminder. I tried that command and it was slow for this scenario. As I mentioned dataset is huge!
any other idea?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope it will work with just B because I can't find a way to compare A to A+10.
| rex "\s(?<name>\S+)\s\[.*?A\[(?<A>\d+)]\sB\[(?<B>\d+)"
| stats range(_time) as duration by name, B
| table name durationIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for answer, but need both condition checked.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
