I'm trying to calculate request times for a web app to analyze latency. When a user clicks a button in the client UI, I save the time stamp and push that to Splunk (client_timestamp). When the server receives the request it writes a spunk log entry. So event timestamp minus client_timestamp gives me one piece. However, when the server receives the request, it does a few other things before it responds to the client. So when the client receives a response we also log that (action="response_received"). I basically want to find the diff between when the user clicked the UI and when the UI received the signal to write the action="response_received" log.
[1500700837] location="Germany", device_name="Device A", request_uuid="000412fc-23b9-4882-8241-31482e1987fa", client_timestamp="1500700835936", session_id="8d2c288374d51b6b052e3f03d037b3ca"
[1500700837] location="Germany", device_name="Device B", request_uuid="7ad4b1ca-397a-46a6-8bf2-3e97864ffd45", client_timestamp="1500700835936", session_id="5ca03696a0e19c2b89a189e7534ff0b5"
[1500673343] type="frontend", action="response_received", request_uuid="000412fc-23b9-4882-8241-31482e1987fa", client_timestamp="1500673347109", session_id="8d2c288374d51b6b052e3f03d037b3ca"
[1500700837] location="Canada", device_name="Device C", request_uuid="7ad4b1ca-397a-46a6-8bf2-3e97864ffd45", client_timestamp="1500700835936", session_id="030799a2-9a15-4995-ba1b-04908e1b726b"
[1500673343] type="frontend", action="response_received", request_uuid="7ad4b1ca-397a-46a6-8bf2-3e97864ffd45", client_timestamp="1500673347109", session_id="8d2c288374d51b6b052e3f03d037b3ca"
I essentially want to filter out all the events where not exactly two entries with the same request_uuid exists. Something like:
sourcetype=latency_logs | stats count by request_uuid
Now for all where request_uuid exists 2 times, I'd like to take the client_timestamp from the event that has action="response_received" and subtract it from the other event with the same request_uuid.
Any suggestions how to achieve this? The final result would be a list of request_uuids and their client_timestamp diff
... View more