Splunk Search

How to find the duration for order submission to each suborder process.

ravi08402
New Member

I am working for a product where I will have one order number, it has multiple suborders.
Once each suborder processes, I will get the suborder number and main order number.
I need to find the duration for order submission to each suborder process.

For example:
my order is abc, sub orders i have 1,2,3
my result set should be
order sub order duration
abc 1 10
abc 2 23
abc 3 15

When I use transaction for this search I am getting duration between main order submission to last sub order processed.
How do I get individual duration?

0 Karma
1 Solution

diogofgm
SplunkTrust
SplunkTrust

Try this:

(sourcetype="source1" AuditLog: A=CR) 
| join OrderNumber [search (source="source2" Source=RESPONSE) | stats min(_time) AS start by OrderNumber]
| eval duration = _time - start

Explanation:
sub search to get the time for each order number and the join the result using the order number in the sub order events making the order time available in every sub order. from there you can just calcule the duration using eval.

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Try this:

(sourcetype="source1" AuditLog: A=CR) 
| join OrderNumber [search (source="source2" Source=RESPONSE) | stats min(_time) AS start by OrderNumber]
| eval duration = _time - start

Explanation:
sub search to get the time for each order number and the join the result using the order number in the sub order events making the order time available in every sub order. from there you can just calcule the duration using eval.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

ravi08402
New Member

Thanks it worked for me

0 Karma

niketn
Legend

@ravi08402 please add more details to the events from your sub order that help you identify that Sub Order is being processed and processing has completed. Also is there a state in the main order that identifies it starting and completion?

What is the current transaction command you are using.

Please ensure to mock/anonymize any sensitive information in your data/code before posting on Splunk Answers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ravi08402
New Member

@niketnilay when i submit order the log looks like below.

2019-08-05 21:27:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550

after request processed, we can see individual sub line (sub order )details as below

2019-08-05 21:27:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=5,Status=Success
2019-08-05 21:29:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=1,Status=Success
2019-08-05 21:27:42,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=2,Status=Success
2019-08-05 21:28:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=3,Status=Success
2019-08-05 21:27:12,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=4,Status=Fail

When i use this query all possible events are forming as one event.
(source="source2" Source=RESPONSE) OR (sourcetype="source1" AuditLog: A=CR) | transaction OrderNumber duration

i need to know time difference between main line to each sub line processing duration.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

are the timestamps in your example data correct?
is there a relation between LineSeqNumber and timestamp?
Is it safe to assume the order happens before the sub orders? (its not the case in your example data)

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

ravi08402
New Member

2019-08-05 21:26:20,311 INFO Source=RESPONSE,ReqId=15686047,RequestId=bc50733f-c73e-4ea1-87f2-735a4c761a0e,OrderNumber=10169550

after request processed, we can see individual sub line (sub order )details as below

2019-08-05 21:27:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=5,Status=Success
2019-08-05 21:29:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=1,Status=Success
2019-08-05 21:27:42,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=2,Status=Success
2019-08-05 21:28:32,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=3,Status=Success
2019-08-05 21:27:12,354 INFO {193} AuditLog:A=CR,OrderNumber=10169550,LineSeqNumber=4,Status=Fail

corrected the timestamp. No there is no relation between time stamp and LineSeqNumber.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...