- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- calculate time difference between starting and com...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a database that stores a separate event every time someone starts or stops a task. This should be a simple task, but I cant seem to figure out how to go about the calculation. There are three things I need to account for: accepting the task, abandoning the task, and completing the task. I only want to calculate the time it takes between each user's accepting a task and completing it. If they abandoned it, then I don't want splunk to calculate the time
This is working off of timestamps and the fields user_name and action
action=0 for accepting
action=1 for completing
action=2 for abandoning
Any suggestions as to how I would go about this calculation?
EDIT: My supervisors loved it, but now they want me to cut out times when the users are not logged in. I asked around, and got a nice addition to the logs: total_login_time, which, as it's so simply named, is a simple record, in milliseconds, of how long the users have been logged in to the site. Can I still use transaction? Or do I need to change it entirely?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+1 on using transaction, but using action as the correlating field won't work as it is changing within the session. user_name seems more appropriate. Also perhaps specify the conditions a bit more so that it's the actual action field that is checked for the values 0 and 2:
... | transaction user_name startswith=eval(action=0) endswith=eval(action=2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what I was looking for!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great Stuff Ayn. Thanks. Give the points to Ayn!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+1 on using transaction, but using action as the correlating field won't work as it is changing within the session. user_name seems more appropriate. Also perhaps specify the conditions a bit more so that it's the actual action field that is checked for the values 0 and 2:
... | transaction user_name startswith=eval(action=0) endswith=eval(action=2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I did have to change it around a bit. The resulting search string looks a bit like this:
index=task_data task="*" NOT action="2" | transaction user_name startswith="action=0" endswith="action=1" maxevents="2" | where duation>0 | stats count by duration, task_name | fields task_name, duration |sort -duration |rename task_name AS "Task Name"
and it's giving me fairly nice results.
on an unrelated note, I love your picture. That game was really fun.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would recommend that you take a look at the "transaction" command. It has a built in field called "duration". Here is an example of how to use it.
source="your data" | transaction action beginswith="0" endswith="2"
You might need to experiment with the maxspan and maxpause as well.
Here is a link to more information:
http://docs.splunk.com/Documentation/Splunk/4.2.5/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's giving me some very nice results!
Thank you!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
