Is it possible to correlate data to come up with a transaction time given this scenario? I want to calculate and chart the transaction time between a recv record and a send record identified by the last field below. For example the transaction time between 20120807 18:36:05 recv 9896A065210R04 and 20120807 18:36:19 send ACK 9896A065210R04 would be 14 seconds.
20120807 18:36:05 recv 9896A065210R04
20120807 18:36:05 recv 2910A005512372
20120807 18:36:05 recv 9795A019041S68
20120807 18:36:05 recv 9218A023441377
20120807 18:36:05 recv 6179A004360374
20120807 18:36:05 recv 2076A001701R48
20120807 18:36:05 recv 2076A001610R48
20120807 18:36:15 send ACK 5818A04030131X
20120807 18:36:15 send ACK 8320A0014JO000
20120807 18:36:15 send ACK 6716A014641303
20120807 18:36:16 send ACK 2887A06962V21F
20120807 18:36:19 send ACK 8320A001609000
20120807 18:36:19 send ACK 9896A065210R04
20120807 18:36:23 send ACK 2910A005512372
20120807 18:36:23 send ACK A0032436007492
20120807 18:36:23 send ACK 9218A023441377
20120807 18:36:23 send ACK 9795A019041S68
20120807 18:36:26 send ACK 2076A001701R48
20120807 18:36:27 send ACK 2076A001610R48
20120807 18:36:27 send ACK 6866A039301R02
20120807 18:36:27 send ACK 6179A004360374
The transaction command will give you this duration.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction
Assuming you had field called id for 20120807, it would look like this:
The transaction command will give you this duration.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction
Assuming you had field called id for 20120807, it would look like this: