Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Capture & Compare _time from two searches using append ?

sjringo
Communicator
‎09-22-2022 06:24 PM

I am performing two searches in an attempt to calculate the duration, but am having some issues.

Here is what I have working so far. Im getting results but they are in two different rows when I see results, I was expecting for them to be in one row to be used to calculate the duration ?

What am I missing...

index=anIndex sourcetype=aSourceType (aString1 AND "START of script")

| eval startTimeRaw=_time

| append [search index=anIndex sourcetype=aSourceType (aString1 AND "COMPLETED OK")

| eval endTimeRaw=_time ]

| table startTimeRaw, endTimeRaw

Labels (3)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnhuang
Motivator
‎09-23-2022 11:47 AM

Group it by date.

index=anIndex sourcetype=aSourcetype aJobName ("START of script" OR "COMPLETED OK")
| eval startTimeRaw = if (match(_raw, "START of script"), _time, null()), endTimeRaw = if (match(_raw, "COMPLETED OK"), _time, null())
| eval event_date=strftime(_time,"%Y-%m-%d")
| stats range(_time) as duration values(startTimeRaw) as startTimeRaw values(endTimeRaw) as endTimeRaw by event_date host
| eval duration = tostring (duration, "duration")
| table host, duration

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

FelixLeh
Contributor
‎09-23-2022 06:14 AM

You could try the following:

index=anIndex sourcetype=aSourceType

| transaction transaction_identifier startswith="START" endswith="COMPLETED OK"

| table startTimeRaw, endTimeRaw

 

The transaction_identifier has to be a value that is found in all relevant events and specific to that instance.
For example, if you want to track a purchase then the transaction_identifier could be the ID of the transaction.
Or if you want to track the session of a user you could use the username or the user's ID as the transaction_identifier.

0 Karma
Reply
Solved! Jump to solution

sjringo
Communicator
‎09-23-2022 08:40 AM

For this example there is no unique piece of data that identifies the unique start/end time on a per day basis.  It is the same job that runs every day and its the same job name and same start and stop entries every day.

Is there a way to make the date the unique identifier as I eventually want to show results by day over time?

I have this working when I run for a timerange of 'today' but it does not work when I run for more than one day. i.e. 'week to date'

Your example was missing 'aJobName' as I am scanning many .log files for many jobs but am currently only interested in one to get something working.

index=anIndex sourcetype=aSourcetype aJobName ("START of script" OR "COMPLETED OK")

| eval startTimeRaw = if (match(_raw, "START of script"), _time, null()), endTimeRaw   = if (match(_raw, "COMPLETED OK"), _time, null())

| stats range(_time) as duration values(startTimeRaw) as startTimeRaw values(endTimeRaw) as endTimeRaw by host

| eval duration = tostring (duration, "duration")

| table host, duration

The results for a time range of today returns results like:

Host Duration
server1 00:17:41

When I run for week to date I get the following results:
Host Duration
server1 1+00:52:02

I currently only have two days of data in Splunk but I think what is happening is that each query is returning two events, which is also why in my results I only have one row instead of two (one for 9/23 and one for 9/22) but I dont know how to change the above query or approach to be able to show duration over time on a daily basis which I eventually want to dump into a timechart to show duration over time.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-23-2022 11:48 AM

As @FelixLeh said, usually there must be some transaction identified which bind those event to the same physical event. You said that in this case it is a day. So we can do it by this way

index=anIndex sourcetype=aSourceType aString1 ("START of script" OR "COMPLETED OK")
| eval startTimeRaw = if (match(_raw, "START of script"), _time, null()),
       endTimeRaw   = if (match(_raw, "COMPLETED OK"), _time, null())
| bin span=1d _time as trcId
| stats range(_time) as duration values(startTimeRaw) as startTimeRaw values(endTimeRaw) as endTimeRaw by trcId
| eval durationHuman = tostring (duration, "duration")
| table trcId, startTimeRaw, endTimeRaw

This divide events to 1 day slots and within those slots it calculate duration between start and end events. Probably you need to check that duration > 0 and if need take abs for it to get it right direction. 

0 Karma
Reply
Solved! Jump to solution
Solution

johnhuang
Motivator
‎09-23-2022 11:47 AM

Group it by date.

index=anIndex sourcetype=aSourcetype aJobName ("START of script" OR "COMPLETED OK")
| eval startTimeRaw = if (match(_raw, "START of script"), _time, null()), endTimeRaw = if (match(_raw, "COMPLETED OK"), _time, null())
| eval event_date=strftime(_time,"%Y-%m-%d")
| stats range(_time) as duration values(startTimeRaw) as startTimeRaw values(endTimeRaw) as endTimeRaw by event_date host
| eval duration = tostring (duration, "duration")
| table host, duration

 

 

0 Karma
Reply
Solved! Jump to solution

sjringo
Communicator
‎09-23-2022 05:44 AM

Two follow up questions.

1)  Even though you suggest not using append, why does it not work ?  I have a working example using appendcols and assumed append would work similar.  In the appendcols example I use: " | stats count as X " for the first query variable then " | stats count as Y " for the second variable and then use X & Y to calculate a percentage.  But for this example trying to use eval instead of stats

 

2) The example makes sense up to "by <some id for transaction>".  What am I trying to reference here ?  From the search I have two events and two variables (startTimeRaw & endTimeRaw).

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-22-2022 11:48 PM

Hi

You should avoid to use append if possible. In this case you could try e.g.

index=anIndex sourcetype=aSourceType aString1 ("START of script" OR "COMPLETED OK")
| eval startTimeRaw = if (match(_raw, "START of script"), _time, null()),
       endTimeRaw   = if (match(_raw, "COMPLETED OK"), _time, null())
| stats range(_time) as duration values(startTimeRaw) as startTimeRaw values(endTimeRaw) as endTimeRaw by <some id for transaction>
| eval durationHuman = tostring (duration, "duration")
| table startTimeRaw, endTimeRaw

Use in by your field which indentify that transaction.

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...