Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate time difference of 2 events with logs that do not have a common string?

huligesh
Engager
‎02-02-2017 02:20 PM

Hi,
I have Siebel logs like below:
event 1:
MessageFlow MsgFlowDetail 4 00005609588f0d40:0 2017-01-30 09:38:48 7676: Returned from SessionHandleMsg(200) for task 27263382, pErrStack = 0x2a2d6bf0
..
.. (after few events)
event n:
MessageFlow MsgFlowDetail 4 00005609588f0d40:0 2017-01-30 09:38:47 7676: Calling SessionHandleMsg(200) for task 27263382, pErrStack = 0x2a2d6bf0

I need to extract the timestamp and find difference to get response time data.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-02-2017 04:20 PM

If the field with value 00005609588f0d40:0 is your MessageFlowID, you can do <search> | transaction mflowID startsWith="Calling" endsWith="Returned"
After the search executes, you will have a new field called duration generated by the transaction command that gives you the delta between start and end of this "transaction".

Note: transaction is a pretty expensive command, use it over the smallest event set/time frame possible. If this produces what you want, you may be able to rewrite the search more efficiently without using transaction. You can take a look at this answer for an example.

But first things first.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-21-2017 04:31 PM

Do not use transaction; try this:

You Base Search | stats range(_time) BY mflowID
0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-02-2017 04:20 PM

If the field with value 00005609588f0d40:0 is your MessageFlowID, you can do <search> | transaction mflowID startsWith="Calling" endsWith="Returned"
After the search executes, you will have a new field called duration generated by the transaction command that gives you the delta between start and end of this "transaction".

Note: transaction is a pretty expensive command, use it over the smallest event set/time frame possible. If this produces what you want, you may be able to rewrite the search more efficiently without using transaction. You can take a look at this answer for an example.

But first things first.

Reply
Solved! Jump to solution

huligesh
Engager
‎02-03-2017 06:19 AM

Thanks for the answer.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎02-02-2017 03:28 PM

I see almost everything common between the two strings:

MessageFlow MsgFlowDetail 4 00005609588f0d40:0 2017-01-30 09:38:48 7676: Returned from SessionHandleMsg(200) for task 27263382, pErrStack = 0x2a2d6bf0
..
.. (after few events)
event n:
MessageFlow MsgFlowDetail 4 00005609588f0d40:0 2017-01-30 09:38:47 7676: Calling SessionHandleMsg(200) for task 27263382, pErrStack = 0x2a2d6bf0

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...