How to compute the total time spent from splunk ti...

MOHITJOSHI · ‎03-11-2020

I have IIS events which looks like below. looking to compute the total time taken from the splunk timestamp..which in this case is 3 secs..from 07th to :10th seconds

how can i compute this from eval?

2020-03-11 22:29:10 /Logout Transaction:=InpatUPMC_090_Billing_WorklistLoad

2020-03-11 22:29:07 /Login Transaction:=InpatUPMC_090_Billing_WorklistLoad

anmolpatel · ‎03-11-2020

Using the transaction command you will get the following:

| makeresults 
| eval _raw = "_time, action, transact
    2020-03-11 22:29:10, /Logout, Transaction:=InpatUPMC_090_Billing_WorklistLoad
2020-03-11 22:29:07, /Login, Transaction:=InpatUPMC_090_Billing_WorklistLoad
    " 
| multikv forceheader=1 
| transaction transact maxevents=2 mvlist=time 
| eval prev_time=strptime(mvindex(time, 0) , "%Y-%m-%d %H:%M:%S")
| eval last_time=strptime(mvindex(time, 1), "%Y-%m-%d %H:%M:%S")
| eval duration = round(last_time - prev_time,1)."seconds"
| table transact action duration

transact action duration
Transaction:=InpatUPMC_090_Billing_WorklistLoad /Login /Logout 3.0seconds

MOHITJOSHI · ‎03-12-2020

Anmol,

thanks for feedback. While i cannot use makeresults because i have several hundreds such events which has different Transactions and its corresponding IIS calls and timestamp. i am exploring this option now.

to clear any confusion ..Note my event has a synthetic field named Transaction as well

using this search is grouping all my 10 events for Transaction abc into single transaction (which is good) however the Prev_time and last_time still not evaluated.

essentially the PREV time should be the earliest timestamp for the transaction and last time should be the most recent one.

to give you example of events.

10 events with Transaction abc. need to compute the time between the 1st and 10th event
10 events with Transaction def. need to compute the time between the 1st and 10th event

anmolpatel · ‎03-12-2020

@MOHITJOSHI
the makeresults command till multikv command is to create dummy data to demonstrate. in the original query, just user index=myindex follow by the below from transaction command onwards.

This example is with three events, notice how execution changes as now we need to look at what the first transaction is and what the last transaction is. Also, since the "time" column has more than 2 values, the mvindex above will not apply. So it needs to be modified to meet "n" number of values.

| makeresults 
| eval _raw = "_time, action, transact
         2020-03-11 22:29:20, /Logout, Transaction:=InpatUPMC_090_Billing_WorklistLoad
         2020-03-11 22:29:10, /other, Transaction:=InpatUPMC_090_Billing_WorklistLoad
     2020-03-11 22:29:07, /Login, Transaction:=InpatUPMC_090_Billing_WorklistLoad
         " 
| multikv forceheader=1 
| transaction transact startswith="action=*Login" endswith="action=*Logout" mvlist=time
| eval prev_time=strptime(mvindex(time, 0) , "%Y-%m-%d %H:%M:%S")
| eval last_time=strptime(mvindex(time, mvcount(time) - 1), "%Y-%m-%d %H:%M:%S")
| eval duration = round(last_time - prev_time,1)."seconds"
| table transact action duration

xavierashe · ‎03-11-2020

What is the search you are using to give you the two events? Are you using transaction?

How to compute the total time spent from splunk timestamp

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!