Splunk Search

Correlate data

bsteph
Explorer

Is it possible to correlate data to come up with a transaction time given this scenario? I want to calculate and chart the transaction time between a recv record and a send record identified by the last field below. For example the transaction time between 20120807 18:36:05 recv 9896A065210R04 and 20120807 18:36:19 send ACK 9896A065210R04 would be 14 seconds.

20120807 18:36:05 recv 9896A065210R04
20120807 18:36:05 recv 2910A005512372
20120807 18:36:05 recv 9795A019041S68
20120807 18:36:05 recv 9218A023441377
20120807 18:36:05 recv 6179A004360374
20120807 18:36:05 recv 2076A001701R48
20120807 18:36:05 recv 2076A001610R48
20120807 18:36:15 send ACK 5818A04030131X
20120807 18:36:15 send ACK 8320A0014JO000
20120807 18:36:15 send ACK 6716A014641303
20120807 18:36:16 send ACK 2887A06962V21F
20120807 18:36:19 send ACK 8320A001609000
20120807 18:36:19 send ACK 9896A065210R04
20120807 18:36:23 send ACK 2910A005512372
20120807 18:36:23 send ACK A0032436007492
20120807 18:36:23 send ACK 9218A023441377
20120807 18:36:23 send ACK 9795A019041S68
20120807 18:36:26 send ACK 2076A001701R48
20120807 18:36:27 send ACK 2076A001610R48
20120807 18:36:27 send ACK 6866A039301R02
20120807 18:36:27 send ACK 6179A004360374

Tags (2)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

The transaction command will give you this duration.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction

Assuming you had field called id for 20120807, it would look like this:

| transaction id

View solution in original post

sdaniels
Splunk Employee
Splunk Employee

The transaction command will give you this duration.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction

Assuming you had field called id for 20120807, it would look like this:

| transaction id

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...