Is it possible to calculate all the duration between subevents in a transaction? For example..
Here's the search:
index=citrix source="C:\Temp\tslogon_log.txt" | transaction UserName host startswith="STARTED" endswith="FINISH"
...and output
We would like to calculate the time difference between all steps in the transaction. So between Started and Step1_Complete, then Step1_Complete and Step2_Complete etc.. which all those differences should add to the 2.39 seconds Splunk calculated for the overall transaction. Any ideas?
Thanks!
I am not sure that you need the transaction command. The following
index=citrix source="C:\Temp\tslogon_log.txt"
| sort UserName host _time
| delta _time as StepTime p=1
| eval Step=case(searchmatch("STARTED"),null(),
searchmatch("Step1_Complete"),1
searchmatch("Step2_Complete"),2
searchmatch("Step3_Complete"),3
searchmatch("Step4_Complete"),4
searchmatch("FINISH"),5
1=1,null())
will create two new fields StepTime and Step, which can be used in a variety of ways
| stats avg(StepTime) as AverageStepTime by Step
or
| stats avg(StepTime) as StepTime by User Host Step
This solution requires that every "transaction" must have all of the components. It is okay if a transaction is in progress, as it will only calculate the completed steps. However, if the START is not logged or a step is not logged, then it may not work properly.
Hmm, you cant use _time
after the transaction, so you must make an eval before the transaction, in order to preserve the timestamp for each subevent in a multivalued field.
...| eval sub_time = _time |