Splunk Search

How to get stats from different events?

vkari
New Member

How do i get different events names and same reference ID stat time from one event and end time from one event and average for total time for span of time?

eventName 505 (startTime) - ----507 with PROCESSED status(endtime) . total avarage time

=================================================================

Index= caudit eventName=505
|search "EventStreamData.args.verificationId"="8387be8f"
|EventStreamData.requestContext.eventStartTime=*

Index= caudit  eventName=507
|search "EventStreamData.args.verificationId"="8387be8f"
|EventStreamData.response.verificationStatus"=PROCESSED
|EventStreamData.requestContext.eventEndTime=*

the result will be :

start time.        End time .         average time 
12:00: 00            12.00: 30 .         .000000xxx
Tags (2)
0 Karma

woodcock
Esteemed Legend

Like this:

index= caudit AND (eventName=505 OR eventName=507)
| streamstats count(eval("EventStreamData.response.verificationStatus"=PROCESSED)) AS sessionID BY EventStreamData.args.verificationId
| stats min(_time) AS start_time max(_time) AS end_time range(_time) AS duration BY EventStreamData.args.verificationId sessionID
0 Karma

vkari
New Member

The query won't work for me

Here my business modal starts, eventName=505 reference ID will create here from 505 "EventStreamData start time " and with the same reference ID some of the requests only going through eventName=507, here(507) verification status=PROCESSED then "EventStreamData end time " end time from here

both starting times to end time average Time needs to be displayed

Index= caudit eventName=505
|search "EventStreamData.args.verificationId"="8387be8f"
|EventStreamData.requestContext.eventStartTime=*

Index= caudit eventName=507
|search "EventStreamData.args.verificationId"="8387be8f"
|EventStreamData.response.verificationStatus"=PROCESSED
|EventStreamData.requestContext.eventEndTime=*

0 Karma

woodcock
Esteemed Legend

I gave you enough for you to craft a complete solution. I cannot help you because you are mixing and matching things that do not make sense. You cannot really have a start, end, and average time. You need to be more clear about your example. In any case, I think if you really think about my answer, it has everything that you need to do anything that you might like to do.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...