Hi Arjun,
I am unable to receive with this query start time. Can you explain the query for understanding my requirement.

Hi @kanamarlapudivenkatanagavinaykumar

2 probabilities here.
1. The selected time range is not large enough to cover the whole event. Try increasing the time range.
2. There is a difference in case. For this, modify the query as below.

 | stats min(eval(if(match(lower(_raw), "security gate check"), _time, null()))) as start, max(eval(if(match(lower(_raw), "found valid consumer for identity"), _time, null()))) as end by trace
 | eval duration = end-start
 | stats avg(duration) as Average_Response_Time

What I'm doing here is, I'm taking the min start time for events which have the phrase "security gate check" as the start time, and max time of events which have the phrase "found valid consumer for identity" as the end time per trace. The assumption is trace is unique per transaction.

Hope this helps

hi Arjun,

Thanks for quick reply.

Even the events available in the selected time range ( i.e 7 days), I am getting as a null for start time. For end time i am able to see end time in Unix timestamp format. How to get the actual timestamp instead of unix epoch format.

Kindly suggest on the same.

That's very strange that you are getting just the end and not the start time. It looks like it's unable to find the pattern "Security gate check" in _raw. Could you verify that there are no special characters in the raw events?

Another possibility is that it's unable to find start and end events for the same trace. Try sorting by start to see if you events with start but no end. In that case, the regex for extracting the trace might need to be modified.

To convert epoch to standard time, you can use one of the following

| convert ctime(<your time field>)

OR

| eval <time field> = strftime(<time field>, "<desired time format>") 

Use this to build the time format string - https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Commontimeformatvariables

Please upvote if this helped you.

Hi Arjun,
Thanks for quick reply, i am able to convert the timestamp.

The below event log is my sample raw data. if i give "security gate check" i am able to see the start time , if i give " Security gate check POST" it is not working. I am giving post because some other requests has PATCH to avoid that event logs.

"2019-12-05 08:03:25.348 INFO [price:promotion:rrt-0c8dfd466053d7c3c-b-de-18025-17252943-6,4c5c49909b36f6f3,4c5c49909b36f6f3] 23 xxxxx : Security gate check : requestURI : /promotions/async : HttpMethod : POST

Hi Arjun,

Can you provide how to calculate count for the same criteria, which either start or end is not null ( i.e. Start and end consider as one event).

If you can provide the query for this it will be very helpful.

That's simple

| stats min(eval(if(match(lower(_raw), "security gate check"), _time, null()))) as start, max(eval(if(match(lower(_raw), "found valid consumer for identity"), _time, null()))) as end by trace
| search start=* AND end=*
| eval duration = end-start
| stats avg(duration) as Average_Response_Time, count as total

Hi Arjun,

I did this , but i am getting null values of start and end of trace also including in this count, which i am looking to include both start and end not null case count.

Hi Arjun,

Thank you for your patience for answering my questions.

I have two below queries, can you please suggest how to merge and get difference of counts in separate column.

index=A | rex field=_raw command=(?\w+) | stats count by CountA

index=A | rex field=_raw command=(?\w+) | stats count by CountB

Common ID i am getting through rex command.

I am looking for the below output,

Common ID Count A Count B Difference ( i.e. Count A - Count B)

Kindly suggest on this any approach, i have tried subsearch and joins. Unable to get the result.

Hi @kanamarlapudivenkatanagavinaykumar

It looks like some part of your query is missing. Once you enter query, highlight it and press the code sample button (The button with 1's and 0's) This will ensure that the everything within the code sample is retained.

Also, is this a different question from the original question in the post? If yes, could you please post this as a new question? This helps others who have a similar problem as you are. A new question in the comment kind of get's lost since other's wouldn't be able to view it and you miss out on inputs from other contributors in the forum 🙂

You have Accepted this answer and closed it; was that a mistake? Do you have a working answer or do you still need help? There is an UnAccept button...

Hi Woodcock,
Arjun helped regarding this query, it is working fine. I am looking for another solution. Which i will raise as a separate request.

Hmm.

Are you getting duration values for events where start or end is null? If not, do this.

 | stats min(eval(if(match(lower(_raw), "security gate check"), _time, null()))) as start, max(eval(if(match(lower(_raw), "found valid consumer for identity"), _time, null()))) as end by trace

 | eval duration = end-start | search duration=*
 | stats avg(duration) as Average_Response_Time, count as total

Also, if you need only POST events, add the filter to the base search like this

index= <your index> POST

OR if you need everything except PATCH

index=<your index> NOT PATCH

Hi Arjun,

POST is not available in both events, it is available in start event only. I can't add this to base search.

Also, if you need only POST events, add the filter to the base search like this

index= <your index> POST

OR if you need everything except PATCH

index=<your index> NOT PATCH

Hi Woodcock,
Thanks for your reply.

Both log events are from same request only, one is related to one layer and second one is related to another layer of same request. We are trying to find the each layer wise response time. in both statements only one common trace id is only available. the given query is not resulting any results.

Kindly provide alternative solution for my requirement.