I have the following data, and i want to find the time difference between start and end of the request for SID, need to ignore the START with no END,
Note : in the below list Events (2,3), (4, 5), (10,11) are valid as they have start and end, the difference between these events is required
_time SID REQUEST
1 2019-12-20 11:21:15.172 1h2fedk08swv29uCA9dPCRF START
2 2019-12-20 11:21:27.656 1h2fedk08swv29uCA9dPCRF START
3 2019-12-20 11:21:28.225 1h2fedk08swv29uCA9dPCRF END
4 2019-12-20 11:21:29.000 1h2fedk08swv29uCA9dPCRF START
5 2019-12-20 11:21:29.225 1h2fedk08swv29uCA9dPCRF END
6 2019-12-20 09:20:19.066 1h36phbXqfL9hXYLtXaFWtu START
7 2019-12-20 12:48:58.103 3qdu69MDOqaZTQ1WFld-C1N START
8 2019-12-20 11:13:51.873 Ieh_KV2UcC5oMqW6GFaVe26 START
9 2019-12-20 11:13:57.982 Ieh_KV2UcC5oMqW6GFaVe26 START
10 2019-12-20 11:14:08.252 Ieh_KV2UcC5oMqW6GFaVe26 START
11 2019-12-20 11:14:08.913 Ieh_KV2UcC5oMqW6GFaVe26 END
| makeresults
| eval _raw="No time SID REQUEST
1 2019-12-20 11:21:15.172 1h2fedk08swv29uCA9dPCRF START
2 2019-12-20 11:21:27.656 1h2fedk08swv29uCA9dPCRF START
3 2019-12-20 11:21:28.225 1h2fedk08swv29uCA9dPCRF END
4 2019-12-20 11:21:29.000 1h2fedk08swv29uCA9dPCRF START
5 2019-12-20 11:21:29.225 1h2fedk08swv29uCA9dPCRF END
6 2019-12-20 09:20:19.066 1h36phbXqfL9hXYLtXaFWtu START
7 2019-12-20 12:48:58.103 3qdu69MDOqaZTQ1WFld-C1N START
8 2019-12-20 11:13:51.873 Ieh_KV2UcC5oMqW6GFaVe26 START
9 2019-12-20 11:13:57.982 Ieh_KV2UcC5oMqW6GFaVe26 START
10 2019-12-20 11:14:08.252 Ieh_KV2UcC5oMqW6GFaVe26 START
11 2019-12-20 11:14:08.913 Ieh_KV2UcC5oMqW6GFaVe26 END"
| multikv forceheader=1
| eval _time=strptime(time,"%F %T.%q")
| table _time SID REQUEST
| rename COMMENT AS "this is sample data you provide")
| rename COMMENT AS "From here, the logic"
| streamstats count(eval(REQUEST="START")) as session
| stats earliest(_time) as start latest(_time) as end range(_time) as duration count(session) as flag by session SID
| eval start=strftime(start,"%F %T.%3q"), end=strftime(end,"%F %T.%3q")
| where flag > 1
| table SID start end duration
If the volume of logs is large and transaction
is heavy, try this.
Thanks for the response, solution provided is appropriate, appreciate your supports
hi, @saikumarkomati
Please accept the answer and close question.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
Try something like
|transaction SID startswith=START endswith=END
the duration is the time difference