Re: How to get duration for a transaction with mul...

amunag439 · ‎08-19-2019

Hi,

I'm looking to get a duration for a transaction that has multiple pairs of StartsWith and EndsWith conditions.

Log Pair 1:
start: id=1111 msg=trying to get info...
end: id=1111 msg=returing info...

Log Pair 2:
start: id=2222 msg=calling service to get info...
end: id=2222 msg=got info from service...

A given transaction can have either pair 1 or pair 2 logs but they do not co-exists.
I have tried using the following query to get the time duration between the above events but I wasn't successfull.

my search | eval transaction_start=if(in(msg, "trying to get info", "calling service to get info"), _time, NULL), transaction_end=if(in(msg, "returing info", "got info from service"), _time, NULL) | stats earliest(transaction_start) AS start_time latest(transaction_end) AS end_time BY id | eval duration=tostring((end_time-start_time), "duration")

How do I get the time duration for these logs where start and end pair may vary?

solarboyz1 · ‎08-19-2019

Do you need to use transactions? Are the id's re-used? If not, you might be able to just use stats:

your search | stats min(eval(match(msg,"(trying|calling service) to get",_time,NULL))) as start, max(eval(match(msg,"(got|returning) info",_time,NULL))) as stop, values(msg) as msg by id

How to get duration for a transaction with multiple start and end points?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases