Splunk Search

Time Difference in the transaction

sanyonhhh
New Member

Below is a sample log, i want to find time difference. By this query
index=[search] | transaction startswith="A started" endswith="A completed"
i was able to find the rows from log.

2013-10-04T07:54:05 Component Log-level A Started

2013-10-04T07:54:09 Component Log-level A Completed

x-axis should be plotted with span=1d and y-axis plotted with time difference value. Please help me.

Tags (2)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

If I understand what you are trying to say, you want a 24-hour chart with every transaction in that 24 hours and its respective duration. I think there is some confusion by your use of the phrase "span=1d" because that is commonly a search argument to timechart - which will have to do some statistical aggregation because that is all it knows.

An approach that you can use with limited data is something like this:

index=[search] earliest=@d latest=@d+1d
| transaction startswith="A started" endswith="A completed"
| table _time, duration

This produces chartable data that is 24 hours wide with every data point in the sample represented. BUT if you have more than a few hundred data points, it starts to fall apart fast. Example - on a 1600x1200 screen, even if the chart is full screen you only have enough room for about 1500 data points (assuming 1 pixel per data point).

When you have a large number of data points and you need a somewhat sensical graph, that is where doing timechart and aggregating over time ranges is essential. For example, over a 1 day search period take an average - or maximum or minimum or something - over a span=1m.

kristian_kolb
Ultra Champion

duration is calculated as the time difference between the first and last event in a transaction, regardless of how many events are in the transaction.

I'm sorry, but perhaps you can give more sample data and explain why the durations you get are 'wrong'.

0 Karma

sanyonhhh
New Member

Hi dwaddle,

E.g. query works fine when the log result like below,

2013-10-04T07:54:05 Component Log-level A Started
2013-10-04T07:54:09 Component Log-level A Completed

But it fails when it contains in-between lines, it aggregates all the lines time difference and giving it.

2013-10-04T07:54:05 Component Log-level A Started \ this is starts with content


2013-10-04T07:54:09 Component Log-level A Completed \ this is ends with content
I need time difference for start and end content excluding the time difference in-between lines.

0 Karma

kristian_kolb
Ultra Champion

Perhaps a timechart is what you are looking for, for plotting the duration value over time for a certain transaction. duration is calculated automatically by the transaction command. See the example below, which works on standard apache web logs.

sourcetype=access_combined earliest=-1h clientip=10.1.1.1 
| transaction clientip maxspan=3m
| timechart span=1m first(duration) by clientip 

Hope this helps,

K

0 Karma

kristian_kolb
Ultra Champion

Maybe, I could have been more clear with that. Given the timespans in my example, there will be not be more than one transaction per timeslice, so it does not matter which avg(), min(), first() etc function is used.

0 Karma

sowings
Splunk Employee
Splunk Employee

My reading is "I want every duration plotted, not first() or avg()".

0 Karma

kristian_kolb
Ultra Champion

duration IS the time difference between start pattern and end pattern, i.e. startswith and endswith, for EACH transaction. The sample log in your question would have a duration value of 4 (seconds), regardless of how many events there are IN the transaction.

Is there some other time difference you wish to calculate? Please provide more sample events, and a description of how you want it charted.

/k

0 Karma

sanyonhhh
New Member

yes duration is calculated but i need time difference between start pattern and end pattern not all.

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

You would use timechart. Transaction already calculates the duration between start and end of a transaction.

index=[search] | transaction startswith="A started" endswith="A completed
| timechart span=1d avg(duration)

okrabbe_splunk
Splunk Employee
Splunk Employee

Well, anytime you bucket you need to aggregate the data in some way by either doing an average, max, min etc. If you just want to list them all you could do the following instead:

| chart last(duration) by _time

This is pretty close to what Kristian suggested below so I am not sure why you didn't like his answer?

0 Karma

sanyonhhh
New Member

How to get that transaction time difference...the query which u given gives only average... i need the difference between every transaction happened, it present in same event.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...