Solved: How to calculate the difference between two fields...

jamesofthedead8 · ‎10-28-2019

Trying to calculate out a "TransactionTime" time by pairing two events by one matching field (ECID) and then working the difference between two fields across the two fields (LoggingTime on the request then WritingTime on the response. Response/Request is the MessageType field).

Example events:

2019-10-27 22:04:34.0968 : response, 005_UiHXPHeX0001WE0009jP,0:1, 1572213874966, 2019-10-27 22:04:34.966, , osb/TestBindingQSService
2019-10-27 22:04:34.0873 : request, 005_UiHXPHe0001WE0009jP,0:1, 1572213874870, 2019-10-27 22:04:34.870, , osb/TestBindingQSService

woodcock · ‎10-28-2019

Like this:

... | stats range(_time) AS duration1 min(LoggingTime) AS low max(WritingTime) AS high BY ECID
| eval duration = high - low
| fieldformat duration = tostring(duration)
| fieldformat duration1 = tostring(duration1)

View solution in original post

woodcock · ‎10-28-2019

Like this:

... | stats range(_time) AS duration1 min(LoggingTime) AS low max(WritingTime) AS high BY ECID
| eval duration = high - low
| fieldformat duration = tostring(duration)
| fieldformat duration1 = tostring(duration1)

jamesofthedead8 · ‎10-28-2019

Thanks that seems to be working.

richgalloway · ‎10-28-2019

Please identify the fields in the example events and show the expected output.

---
If this reply helps you, Karma would be appreciated.

jamesofthedead8 · ‎10-28-2019

First event;

ECID=005_UiHXPHeX0001WE0009jP,0:1
LoggingTime=22:04:34.0968
WritingTime=22:04:34.966

Second event;

ECID=005_UiHXPHeX0001WE0009jP,0:1
LoggingTime=22:04:34.0873
WritingTime=22:04:34.870

Transaction time would be the difference between LoggingTime on event 2 (request) and WritingTime on event 1 (response).

How to calculate the difference between two fields on two paired events matched via the contents of a third field?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes