Splunk Search

How to edit my transaction search to calculate duration?

mprreddy51
Explorer

Hi Folks,

How to calculate the time below scenario(same accno). Using transaction.

20160719T181321.405 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234" 
20160719T181320.400 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234" 

20160719T181231.906 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234" 
20160719T181230.902 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234"

Current Search:

index=PQRST sourcetype=TEST SNAME=DEMO |  rex "(?\d{8}T\d{6}\.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES" |  eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0))|table ACCNO,duration

Output:

ACCNO        duration
20161234     1.05
20161234     1.04

Thanks,
P

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this runanywhere sample (from your data in question). This does calculate the duration as your expectation. If this is not what you want, could you provide the table you're expecting
Everything before rex is to generate sample data.

| gentimes start=-1 | eval temp="20160719T181321.405 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181320.400 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181231.906 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181230.902 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | extract kvdelim="=" 
|   rex "(?<pt>\d{8}T\d{6}\.\d{3})" | eval _time=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES"

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this runanywhere sample (from your data in question). This does calculate the duration as your expectation. If this is not what you want, could you provide the table you're expecting
Everything before rex is to generate sample data.

| gentimes start=-1 | eval temp="20160719T181321.405 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181320.400 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181231.906 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181230.902 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | extract kvdelim="=" 
|   rex "(?<pt>\d{8}T\d{6}\.\d{3})" | eval _time=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES"
0 Karma

mprreddy51
Explorer

Hi @somesoni2

I have a big events,I made short, and 1000's of events like this.for each ACCNO there will be 2 REQ and 2 RES like I shown.Some times there may be One REQ and One RES also.I want to caluclate the time taken first req and first res for same accno.example:If there are 2 request and 2 response for same accno,then I should get the time taken first req and first res, tike taken by second req and second res.

expected output:

ACCNO DURATION
20161234 1.05(Difference between 1st req and first res)
20161234 1.04(difference between 2nd req and second res)
similar for other accno also......

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=PQRST sourcetype=TEST SNAME=DEMO MESSAGE="RES"  OR MESSAGE="REQ"|  rex "(?\d{8}T\d{6}\.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES" |  eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0))|table ACCNO,duration
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Duration is calculated automatically by the transaction command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mprreddy51
Explorer

I know duration will come automatically with transaction.

I want the below format for the above data.Calculation should be first "REQ" and first "RES" time and same way second REQ and second RES time.

ACCNO duration
20161234 1.05
20161234 1.04

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...