Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

calculate time difference between starting and completing a task

atreece
Path Finder
‎12-20-2011 06:27 AM

I have a database that stores a separate event every time someone starts or stops a task. This should be a simple task, but I cant seem to figure out how to go about the calculation. There are three things I need to account for: accepting the task, abandoning the task, and completing the task. I only want to calculate the time it takes between each user's accepting a task and completing it. If they abandoned it, then I don't want splunk to calculate the time

This is working off of timestamps and the fields user_name and action

action=0 for accepting

action=1 for completing

action=2 for abandoning

Any suggestions as to how I would go about this calculation?

EDIT: My supervisors loved it, but now they want me to cut out times when the users are not logged in. I asked around, and got a nice addition to the logs: total_login_time, which, as it's so simply named, is a simple record, in milliseconds, of how long the users have been logged in to the site. Can I still use transaction? Or do I need to change it entirely?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎12-20-2011 06:56 AM

+1 on using transaction, but using action as the correlating field won't work as it is changing within the session. user_name seems more appropriate. Also perhaps specify the conditions a bit more so that it's the actual action field that is checked for the values 0 and 2:

... | transaction user_name startswith=eval(action=0) endswith=eval(action=2)

View solution in original post

Reply
Solved! Jump to solution

Splunkster45
Communicator
‎10-13-2014 09:28 AM

This is exactly what I was looking for!

0 Karma
Reply
Solved! Jump to solution

tgow
Splunk Employee
Splunk Employee
‎12-20-2011 07:15 AM

Great Stuff Ayn. Thanks. Give the points to Ayn!

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎12-20-2011 06:56 AM

+1 on using transaction, but using action as the correlating field won't work as it is changing within the session. user_name seems more appropriate. Also perhaps specify the conditions a bit more so that it's the actual action field that is checked for the values 0 and 2:

... | transaction user_name startswith=eval(action=0) endswith=eval(action=2)
Reply
Solved! Jump to solution

atreece
Path Finder
‎12-20-2011 07:58 AM

Yes, I did have to change it around a bit. The resulting search string looks a bit like this:

index=task_data task="*" NOT action="2" | transaction user_name startswith="action=0" endswith="action=1" maxevents="2" | where duation>0 | stats count by duration, task_name | fields task_name, duration |sort -duration |rename task_name AS "Task Name"

and it's giving me fairly nice results.

on an unrelated note, I love your picture. That game was really fun.

0 Karma
Reply
Solved! Jump to solution

tgow
Splunk Employee
Splunk Employee
‎12-20-2011 06:38 AM

I would recommend that you take a look at the "transaction" command. It has a built in field called "duration". Here is an example of how to use it. 

source="your data" | transaction action beginswith="0" endswith="2"

You might need to experiment with the maxspan and maxpause as well.

Here is a link to more information:

http://docs.splunk.com/Documentation/Splunk/4.2.5/SearchReference/Transaction

Reply
Solved! Jump to solution

atreece
Path Finder
‎12-20-2011 07:37 AM

That's giving me some very nice results!
Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...