Splunk Search
Highlighted

time difference between event A and next earliest occurrence of event B in timechart? (both extracted fields)

Explorer

Hi all,

Just to let you know i'm very new to splunk and I'm looking for some help on the best approach to solve a problem.

Problem
There is a log which has two separate lines that state the start (A) and end (B) time of a process. The process occurs twice a day - once around 5:45am (+/- 30 mins) and once around 10:45PM (+/- 30 mins). The timing difference between A and B can be assumed to be no more than 1 hour apart.

I would like to how can I calculate the time difference between A and the next earliest occurrence of B? Thus giving me the execution time which could be put into a timechart.

The log file looks something like this:
-Random lines in log
-A
-Random lines in log
-B
-Random lines in log
-A (Run at 1PM and to be disregarded)
-Random lines in log
-B (Run at 1PM and to be disregarded)
-Random lines in log
-A
-Random lines in log
-B

I have found localize and map may be of use but would like to affirm is this the right approach or is there something better?

Another fact that is important is that this process also runs a third time every day at 1PM but I do Not want this timecharted. I feel this could be ignored by **date_time != 12** for each event.

Both A and B are also extracted fields.

Thanks

0 Karma
Highlighted

Re: time difference between event A and next earliest occurrence of event B in timechart? (both extracted fields)

Esteemed Legend

Something like this:

index=YouShoulAlwaysSpecifyAnIndexValue sourctype=AndSourcetypeToo A=* OR B=*
| fields _time host A B
| streamstats count(B) AS sessionID BY host
| selfjoin sessionID host overwrite=f
| eval _time = B
| eval executionTime = B - A
| timechart avg(executionTime) BY host
0 Karma
Highlighted

Re: time difference between event A and next earliest occurrence of event B in timechart? (both extracted fields)

Explorer

Hello,

Thank you for your suggestion,

could you please help me understand how that solution works?

Also I seem to be getting an error for the line "eval _time = B" .. not sure why but the Times for all events of B appeas as.. NaN/NaN/0NaN
NaN:NaN:NaN.000 after that line and _time becomes the actual value of B

0 Karma
Highlighted

Re: time difference between event A and next earliest occurrence of event B in timechart? (both extracted fields)

Esteemed Legend

I was afraid of that. You will need to figure out the time format of your A and B fields and use strftime like this:

index=YouShoulAlwaysSpecifyAnIndexValue sourctype=AndSourcetypeToo A=* OR B=*
| fields _time host A B
| streamstats count(B) AS sessionID BY host
| selfjoin sessionID host overwrite=f

| eval A = strftime(A, "%Your%Time%Format%Here")
| eval B = strftime(B, "%Your%Time%Format%Here")

| eval _time = B
| eval executionTime = B - A
| timechart avg(executionTime) BY host
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.