Hello Folks,
This time I would like to have the difference between two timestamps, but, considering all the logs in the apache access log file. So, going through the details, I have an apache access log which is giving me the following:
0.2.1.44 - - [10/Jun/2013 13:39:03:104] "GET /cart.do?action=purchase&itemId=EST-13&product_id=K9-CW-01&JSESSIONID=SD8SL1FF5ADFF1 HTTP 1.1" 503 879 "http://shop.gourmet-shop.com/cart.do?action=purchase&itemId=EST-13&product_id=K9-CW-01" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
101 1.178.233.243 - - [10/Jun/2013 13:34:04:151] "GET /oldlink?item_id=EST-12&JSESSIONID=SD10SL3FF4ADFF2 HTTP 1.1" 200 1312 "http://shop.gourmet-shop.com/category.screen?category_id=BAKING" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 147
My _time field is working well. My intention is to dynamically have the difference between/among timestamps...
search ... (10/Jun/2013 13:34:04:151 - 10/Jun/2013 13:39:03:104)
Do you guys can help with that?
Thanks a lot.
This is some data from the AppMgmt demo app, right. What is it that you want to do? Transactions based off IP or JSESSIONID? Neither will work well, as this is generated test data. If you want to play with it anyway, see the link below from @dwaddle.
If you just want to see the difference between events for some numerical field, e.g. _time, status, bytes, time_taken, then you could look at the delta
command.
This sounds roughly like a transaction.
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouttransactions
When you define a transaction, Splunk will automatically compute duration
which is the amount of time between the first and last event in the transaction.
Also, read Chap 7 of Carasso's book, http://www.splunk.com/goto/book
Which two events are you looking to get the time difference between? How can they be identified?