Solved: How to edit my transaction search to calculate dur...

mprreddy51 · ‎07-19-2016

Hi Folks,

How to calculate the time below scenario(same accno). Using transaction.

20160719T181321.405 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234" 
20160719T181320.400 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234" 

20160719T181231.906 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234" 
20160719T181230.902 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234"

Current Search:

index=PQRST sourcetype=TEST SNAME=DEMO |  rex "(?\d{8}T\d{6}\.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES" |  eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0))|table ACCNO,duration

Output:

ACCNO        duration
20161234     1.05
20161234     1.04

Thanks,
P

somesoni2 · ‎07-19-2016

Try this runanywhere sample (from your data in question). This does calculate the duration as your expectation. If this is not what you want, could you provide the table you're expecting
Everything before rex is to generate sample data.

| gentimes start=-1 | eval temp="20160719T181321.405 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181320.400 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181231.906 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181230.902 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | extract kvdelim="=" 
|   rex "(?<pt>\d{8}T\d{6}\.\d{3})" | eval _time=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES"

View solution in original post

somesoni2 · ‎07-19-2016

Try this runanywhere sample (from your data in question). This does calculate the duration as your expectation. If this is not what you want, could you provide the table you're expecting
Everything before rex is to generate sample data.

| gentimes start=-1 | eval temp="20160719T181321.405 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181320.400 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181231.906 GMT MESSAGE=\"RES\" SNAME=\"DEMO\" ACCNO=\"20161234\"#20160719T181230.902 GMT MESSAGE=\"REQ\" SNAME=\"DEMO\" ACCNO=\"20161234\"" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | extract kvdelim="=" 
|   rex "(?<pt>\d{8}T\d{6}\.\d{3})" | eval _time=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES"

mprreddy51 · ‎07-19-2016

Hi @somesoni2

I have a big events,I made short, and 1000's of events like this.for each ACCNO there will be 2 REQ and 2 RES like I shown.Some times there may be One REQ and One RES also.I want to caluclate the time taken first req and first res for same accno.example:If there are 2 request and 2 response for same accno,then I should get the time taken first req and first res, tike taken by second req and second res.

expected output:

ACCNO DURATION
20161234 1.05(Difference between 1st req and first res)
20161234 1.04(difference between 2nd req and second res)
similar for other accno also......

somesoni2 · ‎07-19-2016

Give this a try

index=PQRST sourcetype=TEST SNAME=DEMO MESSAGE="RES"  OR MESSAGE="REQ"|  rex "(?\d{8}T\d{6}\.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") |  transaction SNAME startswith="REQ" endswith="RES" |  eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0))|table ACCNO,duration

richgalloway · ‎07-19-2016

Duration is calculated automatically by the transaction command.

---
If this reply helps you, Karma would be appreciated.

mprreddy51 · ‎07-19-2016

I know duration will come automatically with transaction.

I want the below format for the above data.Calculation should be first "REQ" and first "RES" time and same way second REQ and second RES time.

ACCNO duration
20161234 1.05
20161234 1.04

How to edit my transaction search to calculate duration?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms