Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the duration in seconds from a multiline event?

icyfeverr
Path Finder
‎08-18-2015 11:49 AM

I am trying to find the best way to get the duration (in seconds) on a multiline event, possibly having it captured during indexing. I know I can use rex/field extractions and use the eval command at search-time, but was hoping for some more ideas.

Example:

--------------------[Start Session - 2015-08-18 10:47:27.000]-------------------
[2015-08-18 10:47:27.000][INFO]Attempting to connect...
[2015-08-18 10:47:27.000][INFO]Sending request
[2015-08-18 10:47:27.000][INFO]Retrieving response
[2015-08-18 10:47:29.000][INFO]Response size = 627 bytes
---------------------[End Session - 2015-08-18 10:47:29.000]--------------------

Duration = 2 (seconds)

Thanks in advance.

Tags (2)
0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-18-2015 01:51 PM

Well, your non-search-time options are really only index-time extractions - most likely, this isn't what you actually want.

You could edit props.conf to include an extraction of the time so its always extracted, then use a calculated field to automatically create the duration between the _time & the second time field. Is that an example of something you might be looking for ?

Reply

icyfeverr
Path Finder
‎08-18-2015 02:01 PM

Yes, that is a potential solution. I was really hoping there was a way to have the multiline event act like the transaction command and have it apply a duration field to the event upon index.

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎08-19-2015 08:54 AM

What necessitates it being at index time? Search time field exrtraction / creation isn't normally a bottleneck, especially if you're searching smart & using the fields command, etc.

Reply

icyfeverr
Path Finder
‎08-19-2015 08:59 AM

Ok, so utilizing the field extractions for the End Session time is all that would be needed then, since the start time is associated to Start Session time, then just use the eval to translate the string to an epoch time and then subtracting the two to get the second difference. I guess I will go with that, I was just trying to see if there was a different/better way of going about it. Thanks.

0 Karma
Reply

jensonthottian
Contributor
‎08-18-2015 01:21 PM

Transaction command finds transactions based on events that meet various constraints. Transactions are made up of the raw text (the _raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member.
Additionally, the transaction command produces two fields to the raw events, duration and eventcount. The duration value is the difference between the timestamps for the first and last events in the transaction.

| transaction startswith="Start Session" endswith="End Session"

Reply

icyfeverr
Path Finder
‎08-18-2015 01:46 PM

I appreciate the response, but the Transaction command can not be applied to a multi-line-event, as a multi-line-event is essentially, at least in this case, a "transaction" already. The text example you see above is a "single" event since it was indexed as a multi-line event.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...