Splunk Search

How to calculate respose time between two events

premselvans
New Member

I have a table as below. I need to calculate the time difference between the below two events.

request_pid _time Milli_Sec request_type
11600 2016-11-19 17:20:50 17.262275 LeaveBidsRequest
11600 2016-11-19 17:20:51 17.803375 LeaveBidsRequest
19243 2016-11-19 17:36:51 77.376436 LeaveBidsRequest
19243 2016-11-19 17:36:53 78.502509 LeaveBidsRequest
21012 2016-11-19 17:38:38 67.263722 LeaveBidsRequest
21012 2016-11-19 17:38:38 67.678533 LeaveBidsRequest

Sample output like
request_pid Response_Time
11600 1.5411.

Can someone help me?

Tags (2)
0 Karma

lguinn2
Legend

I agree with @nikenilay that stats is the best way to go. But I think there is a much easier stats command to do what you want

 Your base Search  request_type="LeaveBidsRequest" 
| stats range(_time) as Response_Time  earliest(Milli_Sec) as ems latest(Milli_Sec) as lms by request_pid
| eval Response_Time = Response_Time + lms - ems | fields - lms ems

Hope this helps!

0 Karma

niketn
Legend

OPTION 1 : Using stats command
Best way to do is by Stats as it will run faster and give you control over inputs/outputs:

 Your base Search  request_type="LeaveBidsRequest" | stats count(request_pid) as eventcount min(_time) as MinTime max(_time) as  MaxTime by request_pid | search eventcount>1 | eval Response_Time=(MaxTime-MinTime) | table request_pid Response_Time

OPTION 2 : Using transaction command
You can also try transaction which is easier to write but should not be executed for longer duration resulting in several thousand event matches (which might result in slowness and orphaned records).

 Your base Search  request_type="LeaveBidsRequest" | transaction request_pid | search eventcount>1 | rename duration as  Response_Time | table request_pid Response_Time

PS:
1) Response_Time is in seconds for both examples.
2) Transaction Command computes eventcount and duration automatically (based on first and last events matched).
3) Use of maxpause, maxspan, keeporphaned, keepevicted, startswith and endswith should be considered for transaction to run faster. Nevertheless Transaction is only suitable if you provide Key field in your search like reques_pid in your Use case. Otherwise stats should be used for scenarios like this.
4) Another scenario in all Use Case would be to find orphaned records or eventcount=1, where no match for LeaveBidsRequest is found for duration> defined SLA.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

premselvans
New Member

Hello niketnilay,

Hope you are doing well.

Thanks for the answer. I've tried transaction already. But it gives difference in seconds.

I would like to subtract the time as below

11600 2016-11-19 17:20:50 17.262275 LeaveBidsRequest
11600 2016-11-19 17:20:51 17.803375 LeaveBidsRequest

Response_Time=(2016-11-19 17:20:51 17.803375) - (2016-11-19 17:20:50 17.262275)

Milli_Sec is stored as a separate field.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...