Solved: Re: rex to extract duration

indeed_2000 · ‎01-19-2022

Hi
How can I extract duration with below condition? (it is important to check these condition to find correct match)
1)A=A+10
2)B=B

FYI: AFAIK stat command is faster than transaction command. I want to extract duration in large dataset.

Here is the log:

2022-01-17 00:14:19,600 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Normal Packet Received: A[000] B[9999] C[000000]
2022-01-17 00:14:20,622 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Packet Processed: A[010] B[9999]

2022-01-17 16:50:48,383 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Normal Packet Received: A[900] B[33322]
2022-01-17 16:50:48,414 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Packet Processed: A[910] B[33322] C[000000]

expected output:
name duration
CUS.AbCD-APP1-12345 1.022
CUS.AbCD-APP1-54321 0.031

Any idea?
Thanks

johnhuang · ‎01-19-2022

Assuming your dataset is consistent with the examples you've provided and that the start of the transaction begins with "Normal Packet Received".

Approach

Set new variable "matched_value" = A or A+10 depending whether the event is start or end of a transaction.
Use stats to group the event_id, matched_value, and B

| makeresults
| eval event_string="2022-01-17 00:14:19,600 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Normal Packet Received: A[000] B[9999] C[000000];2022-01-17 00:14:20,622 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Packet Processed: A[010] B[9999];2022-01-17 16:50:48,383 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Normal Packet Received: A[900] B[33322];2022-01-17 16:50:48,414 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Packet Processed: A[910] B[33322] C[000000]"
| eval event_string=split(event_string, ";")
| mvexpand event_string

| rex field=event_string "^(?<event_time>[\d\-\s\:\,]*)\s\w+\s(?<event_id>[^\s]*)\s\[(?<event_status>[^\]]*)\]\s(?<event_type>[^\:]*)\:\sA\[(?<A>\d+)\]\sB\[(?<B>\d+)"
| eval _time=strptime(event_time, "%Y-%m-%d %H:%M:%S,%3N")
| eval matched_value=tonumber(A) | eval matched_value=CASE(event_type=="Normal Packet Received", matched_value+10, event_type=="Packet Processed", matched_value)
| table _time event_id event_status event_type event_string A B matched_value
| stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration values(A) AS A BY event_id B matched_value
| eval start_time=strftime(start_time, "%Y-%m-%d %H:%M:%S.%3N")
| eval end_time=strftime(end_time, "%Y-%m-%d %H:%M:%S.%3N")
| eval duration_secs=ROUND(duration, 3)
| table start_time end_time event_id duration_secs  A B matched_value

View solution in original post

johnhuang · ‎01-19-2022

Assuming your dataset is consistent with the examples you've provided and that the start of the transaction begins with "Normal Packet Received".

Approach

Set new variable "matched_value" = A or A+10 depending whether the event is start or end of a transaction.
Use stats to group the event_id, matched_value, and B

| makeresults
| eval event_string="2022-01-17 00:14:19,600 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Normal Packet Received: A[000] B[9999] C[000000];2022-01-17 00:14:20,622 INFO CUS.AbCD-APP1-12345 [PacketSendSuccess] Packet Processed: A[010] B[9999];2022-01-17 16:50:48,383 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Normal Packet Received: A[900] B[33322];2022-01-17 16:50:48,414 INFO CUS.AbCD-APP1-54321 [PacketSendSuccess] Packet Processed: A[910] B[33322] C[000000]"
| eval event_string=split(event_string, ";")
| mvexpand event_string

| rex field=event_string "^(?<event_time>[\d\-\s\:\,]*)\s\w+\s(?<event_id>[^\s]*)\s\[(?<event_status>[^\]]*)\]\s(?<event_type>[^\:]*)\:\sA\[(?<A>\d+)\]\sB\[(?<B>\d+)"
| eval _time=strptime(event_time, "%Y-%m-%d %H:%M:%S,%3N")
| eval matched_value=tonumber(A) | eval matched_value=CASE(event_type=="Normal Packet Received", matched_value+10, event_type=="Packet Processed", matched_value)
| table _time event_id event_status event_type event_string A B matched_value
| stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration values(A) AS A BY event_id B matched_value
| eval start_time=strftime(start_time, "%Y-%m-%d %H:%M:%S.%3N")
| eval end_time=strftime(end_time, "%Y-%m-%d %H:%M:%S.%3N")
| eval duration_secs=ROUND(duration, 3)
| table start_time end_time event_id duration_secs  A B matched_value

ITWhisperer · ‎01-19-2022

You could try modifying the solution you accepted last year!

https://community.splunk.com/t5/Splunk-Search/calculate-duration/m-p/571642/highlight/true#M199202

indeed_2000 · ‎01-19-2022

Thanks for the reminder. I tried that command and it was slow for this scenario. As I mentioned dataset is huge!

any other idea?

Thanks

richgalloway · ‎01-19-2022

I hope it will work with just B because I can't find a way to compare A to A+10.

| rex "\s(?<name>\S+)\s\[.*?A\[(?<A>\d+)]\sB\[(?<B>\d+)"
| stats range(_time) as duration by name, B
| table name duration

---
If this reply helps you, Karma would be appreciated.

indeed_2000 · ‎01-19-2022

Thanks for answer, but need both condition checked.

rex to extract duration

fields

join

rex

stats

table

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

rex to extract duration