Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Duration determination

roayers
Explorer
‎01-26-2019 09:34 AM

Here is a sample of a connection that spans the midnight hour into the next day. I'm trying to extract a new field named duration that contains the difference between the connect and disconnect times in a human readable format

1547514148 2019-01-14 20:02:27 connect johndoe
1547530430 2019-01-15 00:33:49 disconnect johndoe

I've tried many different splunk commands such as stats, eval and transaction commands from many posts here but have been unsuccessful

Thanks in advance,
Robert

Tags (2)
0 Karma
Reply

whrg
Motivator
‎01-26-2019 10:38 AM

Hello Robert,

I assume you have the fields _time, action (connect|disconnect) and username available; or named something similar.

If you are missing the _time field, then use the strptime() eval function to create it.

Now I suggest you use the transaction command as follows:

your base search
| transaction user startswith=(status="connect") endswith=(status="disconnect")
| eval duration=tostring(duration, "duration")

The transaction command will create the duration field.

The eval command will convert the duration from the number of seconds to the more human readable format HH:MM:SS.

0 Karma
Reply

roayers
Explorer
‎01-26-2019 11:42 AM

This worked after I changed the field name status to action

status="connect") endswith=(status="disconnect") to this
action="connect") endswith=(action="disconnect")

0 Karma
Reply

woodcock
Esteemed Legend
‎01-26-2019 10:29 AM

Like this (assuming user is the field that owns johndoe😞

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| streamstats count(searchmatch("disconnect")) AS sessionID BY user
| stats range(_time) AS duration BY sessionID user

And then maybe also

| eval duration = tostring(duration, "duration")
0 Karma
Reply

roayers
Explorer
‎01-26-2019 11:42 AM

This generated the following error
Error in 'SearchProcessor': Mismatched quotes and/or parenthesis.

0 Karma
Reply

woodcock
Esteemed Legend
‎01-26-2019 01:43 PM

I was missing a ). I updated my answer. Try it now, @roayers.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...