Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Calculate meantime among requests based on timestamp

wagnerbianchi
Splunk Employee
Splunk Employee
‎06-10-2013 06:38 AM

Hello Folks,

This time I would like to have the difference between two timestamps, but, considering all the logs in the apache access log file. So, going through the details, I have an apache access log which is giving me the following:

0.2.1.44 - - [10/Jun/2013 13:39:03:104] "GET /cart.do?action=purchase&itemId=EST-13&product_id=K9-CW-01&JSESSIONID=SD8SL1FF5ADFF1 HTTP 1.1" 503 879 "http://shop.gourmet-shop.com/cart.do?action=purchase&itemId=EST-13&product_id=K9-CW-01" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 

101 1.178.233.243 - - [10/Jun/2013 13:34:04:151] "GET /oldlink?item_id=EST-12&JSESSIONID=SD10SL3FF4ADFF2 HTTP 1.1" 200 1312 "http://shop.gourmet-shop.com/category.screen?category_id=BAKING" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 147

My _time field is working well. My intention is to dynamically have the difference between/among timestamps...

 search ... (10/Jun/2013 13:34:04:151 - 10/Jun/2013 13:39:03:104)

Do you guys can help with that?

Thanks a lot.

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-11-2013 12:44 AM

This is some data from the AppMgmt demo app, right. What is it that you want to do? Transactions based off IP or JSESSIONID? Neither will work well, as this is generated test data. If you want to play with it anyway, see the link below from @dwaddle.

If you just want to see the difference between events for some numerical field, e.g. _time, status, bytes, time_taken, then you could look at the delta command.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎06-10-2013 08:41 AM

This sounds roughly like a transaction.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouttransactions

When you define a transaction, Splunk will automatically compute duration which is the amount of time between the first and last event in the transaction.

Also, read Chap 7 of Carasso's book, http://www.splunk.com/goto/book

0 Karma
Reply

Ayn
Legend
‎06-10-2013 07:44 AM

Which two events are you looking to get the time difference between? How can they be identified?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...