transaction duration between subevents

aaronkorn · ‎09-03-2013

Is it possible to calculate all the duration between subevents in a transaction? For example..

Here's the search:

index=citrix source="C:\Temp\tslogon_log.txt" | transaction UserName host startswith="STARTED" endswith="FINISH"

...and output

We would like to calculate the time difference between all steps in the transaction. So between Started and Step1_Complete, then Step1_Complete and Step2_Complete etc.. which all those differences should add to the 2.39 seconds Splunk calculated for the overall transaction. Any ideas?

Thanks!

lguinn2 · ‎09-04-2013

I am not sure that you need the transaction command. The following

index=citrix source="C:\Temp\tslogon_log.txt"
| sort  UserName host _time
| delta _time as StepTime p=1
| eval Step=case(searchmatch("STARTED"),null(),
            searchmatch("Step1_Complete"),1
            searchmatch("Step2_Complete"),2
            searchmatch("Step3_Complete"),3
            searchmatch("Step4_Complete"),4
            searchmatch("FINISH"),5
            1=1,null())

will create two new fields StepTime and Step, which can be used in a variety of ways

| stats avg(StepTime) as AverageStepTime by Step

or

| stats avg(StepTime) as StepTime by User Host Step

This solution requires that every "transaction" must have all of the components. It is okay if a transaction is in progress, as it will only calculate the completed steps. However, if the START is not logged or a step is not logged, then it may not work properly.

kristian_kolb · ‎09-03-2013

Hmm, you cant use _time after the transaction, so you must make an eval before the transaction, in order to preserve the timestamp for each subevent in a multivalued field.

...| eval sub_time = _time |

transaction duration between subevents

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!