Splunk Search

Calculate Transaction Time?

jayvrod
Explorer
08/17/10,0:15:02,start   load_updates.sh 9.3
08/17/10,0:20:04,start   load_updates.sh 9.3
08/17/10,0:25:02,start   load_updates.sh 9.3
08/17/10,0:30:06,start   load_updates.sh 9.3
08/17/10,0:35:09,start   load_updates.sh 9.3
08/17/10,0:38:02,finish  load_updates.sh 9.3  status 0
08/17/10,0:40:02,start   load_updates.sh 9.3
08/17/10,0:45:09,start   load_updates.sh 9.3
08/17/10,0:49:03,finish  load_updates.sh 9.3  status 0

I would like to see a time difference example how long between the first start to finish? In other words how long did it take to load? The extra starts are the shell script trying to start again but fails due to a lock file.

Tags (1)

Stephen_Sorkin
Splunk Employee
Splunk Employee

Assuming that you want the time from the first start to the first finish line, and in this sample there are two separate times, you should use the transaction command. For example:

source=txnlog | transaction source endswith=finish

This will assemble the data into transactions with a duration field that represents the difference between start and finish times.

Stephen_Sorkin
Splunk Employee
Splunk Employee

You want something like: source=txnlog earliest=-24h | transaction source endswith=finish | timechart span=1h sum(duration) count

0 Karma

jayvrod
Explorer

Thanks
but my result is
8/12/10 12:00:00.000 AM 158.523810
My goal is to see during the day how long for each start - finish combo is it taking to load, in Time. aka at 7am load_updates ran 5 times and it took 2 minutes each time.

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Just add | timechart avg(duration) to the search. You can pick another aggregation function like median or max if you prefer. You can also add "count" to the timechart to see how many transactions you had.

0 Karma

jayvrod
Explorer

Thanks
That helped but Now I get this
How do I graph the time?

For some reason my Far Left Column only shows Hour and Minute seconds is 00.000 PM

8/17/10
3:02:00.000 PM

08/17/10,0:15:02,start load_updates.sh 9.3
08/17/10,0:20:04,start load_updates.sh 9.3
08/17/10,0:25:02,start load_updates.sh 9.3
08/17/10,0:30:06,start load_updates.sh 9.3
08/17/10,0:35:09,start load_updates.sh 9.3
08/17/10,0:38:02,finish load_updates.sh 9.3 status 0
date_hour=15 Options| date_hour=20 Options| date_mday=17 Options| date_minute=2 Options| date_minute=4 Options

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...