Splunk Search

How to get time duration between two events INSIDE a transaction?

InkerzBrad
Explorer

Basically what the log looks like is as below:

User log in---
some trivial events---
User start a action ----
some trivial events---
User end a action ----
some trivial events---
User log out---

I managed to use transaction to extract the events between user log in and user log out, but what I need is to get the start time and end time of this action and the time duration between start and end.

Any help would be appreciated...

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Well give this a try. Assuming you can extract the action performed by the events into a field (e.g. user_auth, user_action_start, user_action_end, user_signoff

* | rex "\suser_(?<Action>\w+)" | eval temp=mvzip(Action,"_time","#") | transaction Session connectionID startswith="user_auth" endswith="user_signoff"  | eval start=mvfilter(match(temp,"action_start")) | eval end=mvfilter(match(temp,"action_end")) | eval actionDuration=mvindex(split(end,"#"),1)-mvindex(split(start,"#"),1)

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Well give this a try. Assuming you can extract the action performed by the events into a field (e.g. user_auth, user_action_start, user_action_end, user_signoff

* | rex "\suser_(?<Action>\w+)" | eval temp=mvzip(Action,"_time","#") | transaction Session connectionID startswith="user_auth" endswith="user_signoff"  | eval start=mvfilter(match(temp,"action_start")) | eval end=mvfilter(match(temp,"action_end")) | eval actionDuration=mvindex(split(end,"#"),1)-mvindex(split(start,"#"),1)

InkerzBrad
Explorer

Thanks, in the last statement which is actionDuration=mvindex(split(end,"#"),1)-mvindex(split(start,"#"),1), it says '-' only takes number, which _time is apparently not. How could I solve it?

0 Karma

InkerzBrad
Explorer

It does the job!!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The mvindex is returning string, so need to convert to number. Try this

....| eval actionDuration=tonumber(mvindex(split(end,"#"),1))-tonumber(mvindex(split(start,"#"),1))
0 Karma

woodcock
Esteemed Legend

The transaction command creates a field called duration whose value is the difference between the timestamps for the first and last events in the transaction.

0 Karma

InkerzBrad
Explorer

Thanks, but I need the timestamps difference between two events that inside the transaction, not the first or the last. Any way I could do that?

0 Karma

woodcock
Esteemed Legend

Why not adjust the transaction to start and end with the events that you need for it to? Then you can use duration.

0 Karma

InkerzBrad
Explorer

because I need to make sure it happens inside the user's login session so that I can know some much time one user spent on this action.

Or maybe there's another way?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you provide some sample logs and current query?

0 Karma

InkerzBrad
Explorer

Yeah sure:
the log is like:

SessionID ConnectionID (both are fields extracted) ..user_auth..(plaint text inside log)
SessionID ConnectionID (both are fields extracted) ..user_action_start..(plaint text inside log)
SessionID ConnectionID (both are fields extracted) ..user_action_end..(plaint text inside log)
SessionID ConnectionID (both are fields extracted) ..user_signoff..(plaint text inside log)

and my current query is
*| transaction Session connectionID startswith="user_auth" endswith="user_signoff"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...