Splunk Search

How to get duration for a transaction with multiple start and end points?

amunag439
Explorer

Hi,

I'm looking to get a duration for a transaction that has multiple pairs of StartsWith and EndsWith conditions.

Log Pair 1:
start: id=1111 msg=trying to get info...
end: id=1111 msg=returing info...

Log Pair 2:
start: id=2222 msg=calling service to get info...
end: id=2222 msg=got info from service...

A given transaction can have either pair 1 or pair 2 logs but they do not co-exists.
I have tried using the following query to get the time duration between the above events but I wasn't successfull.

my search | eval transaction_start=if(in(msg, "trying to get info", "calling service to get info"), _time, NULL), transaction_end=if(in(msg, "returing info", "got info from service"), _time, NULL) | stats earliest(transaction_start) AS start_time latest(transaction_end) AS end_time BY id | eval duration=tostring((end_time-start_time), "duration")

How do I get the time duration for these logs where start and end pair may vary?

0 Karma

solarboyz1
Builder

Do you need to use transactions? Are the id's re-used? If not, you might be able to just use stats:

your search | stats min(eval(match(msg,"(trying|calling service) to get",_time,NULL))) as start, max(eval(match(msg,"(got|returning) info",_time,NULL))) as stop, values(msg) as msg by id
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...