- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: time difference calculation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
time difference calculation
I have a log which says when session was created and destroyed. What search string should I use to calculate the length of session??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The transaction command is great for this, and works well as a general solution. However, for some purposes, you can accomplish the same thing more efficiently using stats. This may be a pretty good example of that - you're only dealing with two events. Something like:
INFO sessionid
| rex "(Created|destroyed) sessionid: (?<sessionid>[^\s]+)"
| stats min(_time) as begins, max(_time) as ends by sessionid
| eval duration=ends-begins
Some assumptions here include that you don't necessarily have sessionid extracted out as a field yet. If you do, you can skip the rex command. Also, it assumes that a single sessionid value is not reused within the search window and that both the beginning and ending of the session occur within the search window.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
given your logs this is accomplished by;
<your search giving the sample events> | transaction sessionid | timechart avg(duration)
Of course, you may want to change the charting options.
hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a transaction and grab the length of the session from the field duration that will be automatically calculated for you.
If you have some unique identifier that is valid for each session you could use this to identify each session. For instance if a session can be identified by that the field session_id has a unique value, do:
... | transaction session_id
There are other ways of defining how transactions should be created as well, all covered in the manual: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post a copy of the log? that would help me craft a search for you. Assuming that the session start time and session end times are being extracted as fields already and are in every event, the following should work. Essentially, you are going to have to use the eval command.
<yoursearch> | eval starttime=strftime(sessionstart, "%d:%H:%M:%S") | eval endtime=strftime(sessionend, "%d:%H:%M:%S") | eval session_duration=endtime-starttime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-11-09 03:48:41,545 [INFO ] Created sessionid: 8F164BD481ADB7322448A21FEAA0178D
2011-11-09 03:55:31,545 [INFO ] destroyed sessionid: 8F164BD481ADB7322448A21FEAA0178D
2011-11-09 04:18:41,545 [INFO ] Created sessionid: 8F164BD481ADB7322448A21FE3434DQA
2011-11-09 04:57:31,545 [INFO ] destroyed sessionid: 8F164BD481ADB7322448A21FE3434DQA
What I am trying to do is calculate the session length of each session and find the average of all the session and graph the average session on the chart.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
