Dashboards & Visualizations

How to create average time search?

aditsss
Motivator

Hi Team,

I am getting these two logs on daily basis:

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1

2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true

2023-07-18 08:04:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/17/2023, & version=1

2023-07-18 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true

I want to create one query where I can calculate average time between process start and complete 

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1

2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true

My current query is this :

index= "600000304_d_gridgain_idx*" sourcetype = "600000304_gg_abs_ipc2"  source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log"

Can someone guide me how to move forward and create average query.

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"
| timechart avg(duration) as duration span=1d
| eval duration=tostring(duration, "duration")

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As a guide, you could look at the transaction command

transaction - Splunk Documentation

0 Karma

aditsss
Motivator

@ITWhisperer 

Can you please suggest me with the query I am not able to find that if we take first time and last time how can we do that:

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1
 
2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true
 
How can we take first time and last time and can show average of the time.How to fetch time from these two logs and how can we create average time.
 
@ITWhisperer  could you please suggest
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use transaction starts with and ends with arguments to define the start and end of each transaction, then take an average of the durations of the transactions.

0 Karma

aditsss
Motivator

@ITWhisperer 

This two logs will appear on daily basis . Could you please help me the query  here:

How I can fetch time and then calculate average:

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1
 
2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Based on my suggestion to use the transaction command, what have you tried so far?

0 Karma

aditsss
Motivator

@ITWhisperer 

Can you guide me how I can fetch the time from both logs:

2023-07-17 08:05:59.764 [INFO ] [Thread-3] TransformProcessor - Started ASSOCIATION process for BusDt=07/16/2023, & version=1
 
2023-07-17 08:52:44.484 [INFO ] [Thread-3] AssociationProcessor - Successfully completed ASSOCIATION process!! isAssociationBalanced?=true
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The logs should already have a timestamp in the _time field - does this match the time you are looking for?

0 Karma

aditsss
Motivator

Hi @ITWhisperer 

I have created one query like this for Start time:                                                                                                                                 

index= "abc" sourcetype = "600000304_gg_abs_ipc2" " Started ASSOCIATION process for" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex "-\s+(?<message>.*)" | table message _time

I am getting below result:

message                                                                                                   _time

Started ASSOCIATION process for BusDt=07/19/2023, & version=12023-07-20 10:49:53.777
Started ASSOCIATION process for BusDt=07/20/2023, & version=12023-07-21 10:39:08.819
Started ASSOCIATION process for BusDt=07/21/2023, & version=1

2023-07-22 08:24:19.919

 

Second query I have created like this for END TIME :

index= "abc*" sourcetype = "600000304_gg_abs_ipc2" "Successfully completed ASSOCIATION process" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" |rex "-\s+(?<message1>.*)" | table message1 _time

Getting below result:

Successfully completed ASSOCIATION process!! isAssociationBalanced?=true      2023-07-20 11:42:53.835
Successfully completed ASSOCIATION process!! isAssociationBalanced?=true      2023-07-21 11:29:00.247
Successfully completed ASSOCIATION process!! isAssociationBalanced?=true      2023-07-22 09:18:20.100

How can I create one single query to show the average time (START and END TIME) Average day wise:

START TIME FOR DAY 2023-07-20

  -message                                                                                                                                         _time
Started ASSOCIATION process for BusDt=07/19/2023, & version=1                  2023-07-20 10:49:53.777

END TIME FOR DAY 2023-07-20

Successfully completed ASSOCIATION process!! isAssociationBalanced?=true      2023-07-20 11:42:53.835

 

@ITWhisperer  Can you please guide me guide me.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am trying to guide you but you don't appear to be taking any notice - try using the transaction command

index= "abc" sourcetype = "600000304_gg_abs_ipc2"
| rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"

You might need a reverse command or perhaps switch the starts with and ends with strings

0 Karma

aditsss
Motivator

@ITWhisperer 

I tried this query but no result:

index= "abc*" sourcetype = "600000304_gg_abs_ipc2" source="/amex/app/gfp-settlement-transform/logs/gfp-settlement-transform.log" | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for BusDt" endswith="Successfully completed ASSOCIATION process" | table thread

Can you please guide.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Where did table thread come from? What do you get without that?

0 Karma

aditsss
Motivator

Hi @ITWhisperer 

With the below query I am not getting any statistics:

index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"

I have attached the screenshot .

How can I calculate average time?

Splunk.PNG

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

One of the fields you probably get from transaction is duration. Try getting an average of this field.

0 Karma

aditsss
Motivator

@ITWhisperer 

How can I get the duration from these two loggers:

Started ASSOCIATION process for BusDt=07/25/2023, & version=1 - 2023-07-26 07:52:36.011

Successfully completed ASSOCIATION process!! isAssociationBalanced?=true - 2023-07-26 08:44:07.507

Please guide how I can use transaction command to get average.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
ndex="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"
| stats avg(duration)
0 Karma

aditsss
Motivator

@ITWhisperer 

Thanks the below query work but is it possible to show in hour/min/sec/ms  format currently its showing only in seconds.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"
| stats avg(duration) as duration
| eval duration=tostring(duration, "duration")
0 Karma

aditsss
Motivator

@ITWhisperer 

If we want to see each day separately like for last 7 days each day separately should we use table then. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 | rex "\[(?<thread>Thread[^\]]+)\]"
| transaction thread startswith=" Started ASSOCIATION process for" endswith="Successfully completed ASSOCIATION process"
| timechart avg(duration) as duration span=1d
| eval duration=tostring(duration, "duration")
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...