- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- calculate time difference between starting and com...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a database that stores a separate event every time someone starts or stops a task. This should be a simple task, but I cant seem to figure out how to go about the calculation. There are three things I need to account for: accepting the task, abandoning the task, and completing the task. I only want to calculate the time it takes between each user's accepting a task and completing it. If they abandoned it, then I don't want splunk to calculate the time
This is working off of timestamps and the fields user_name and action
action=0 for accepting
action=1 for completing
action=2 for abandoning
Any suggestions as to how I would go about this calculation?
EDIT: My supervisors loved it, but now they want me to cut out times when the users are not logged in. I asked around, and got a nice addition to the logs: total_login_time, which, as it's so simply named, is a simple record, in milliseconds, of how long the users have been logged in to the site. Can I still use transaction? Or do I need to change it entirely?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+1 on using transaction, but using action as the correlating field won't work as it is changing within the session. user_name seems more appropriate. Also perhaps specify the conditions a bit more so that it's the actual action field that is checked for the values 0 and 2:
... | transaction user_name startswith=eval(action=0) endswith=eval(action=2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what I was looking for!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great Stuff Ayn. Thanks. Give the points to Ayn!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+1 on using transaction, but using action as the correlating field won't work as it is changing within the session. user_name seems more appropriate. Also perhaps specify the conditions a bit more so that it's the actual action field that is checked for the values 0 and 2:
... | transaction user_name startswith=eval(action=0) endswith=eval(action=2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I did have to change it around a bit. The resulting search string looks a bit like this:
index=task_data task="*" NOT action="2" | transaction user_name startswith="action=0" endswith="action=1" maxevents="2" | where duation>0 | stats count by duration, task_name | fields task_name, duration |sort -duration |rename task_name AS "Task Name"
and it's giving me fairly nice results.
on an unrelated note, I love your picture. That game was really fun.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would recommend that you take a look at the "transaction" command. It has a built in field called "duration". Here is an example of how to use it.
source="your data" | transaction action beginswith="0" endswith="2"
You might need to experiment with the maxspan and maxpause as well.
Here is a link to more information:
http://docs.splunk.com/Documentation/Splunk/4.2.5/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's giving me some very nice results!
Thank you!
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
