- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Time difference between events | multiple even...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Time difference between events | multiple events that are in chronological order
I have the following data, and i want to find the time difference between start and end of the request for SID, need to ignore the START with no END,
Note : in the below list Events (2,3), (4, 5), (10,11) are valid as they have start and end, the difference between these events is required
_time SID REQUEST
1 2019-12-20 11:21:15.172 1h2fedk08swv29uCA9dPCRF START
2 2019-12-20 11:21:27.656 1h2fedk08swv29uCA9dPCRF START
3 2019-12-20 11:21:28.225 1h2fedk08swv29uCA9dPCRF END
4 2019-12-20 11:21:29.000 1h2fedk08swv29uCA9dPCRF START
5 2019-12-20 11:21:29.225 1h2fedk08swv29uCA9dPCRF END
6 2019-12-20 09:20:19.066 1h36phbXqfL9hXYLtXaFWtu START
7 2019-12-20 12:48:58.103 3qdu69MDOqaZTQ1WFld-C1N START
8 2019-12-20 11:13:51.873 Ieh_KV2UcC5oMqW6GFaVe26 START
9 2019-12-20 11:13:57.982 Ieh_KV2UcC5oMqW6GFaVe26 START
10 2019-12-20 11:14:08.252 Ieh_KV2UcC5oMqW6GFaVe26 START
11 2019-12-20 11:14:08.913 Ieh_KV2UcC5oMqW6GFaVe26 END
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="No time SID REQUEST
1 2019-12-20 11:21:15.172 1h2fedk08swv29uCA9dPCRF START
2 2019-12-20 11:21:27.656 1h2fedk08swv29uCA9dPCRF START
3 2019-12-20 11:21:28.225 1h2fedk08swv29uCA9dPCRF END
4 2019-12-20 11:21:29.000 1h2fedk08swv29uCA9dPCRF START
5 2019-12-20 11:21:29.225 1h2fedk08swv29uCA9dPCRF END
6 2019-12-20 09:20:19.066 1h36phbXqfL9hXYLtXaFWtu START
7 2019-12-20 12:48:58.103 3qdu69MDOqaZTQ1WFld-C1N START
8 2019-12-20 11:13:51.873 Ieh_KV2UcC5oMqW6GFaVe26 START
9 2019-12-20 11:13:57.982 Ieh_KV2UcC5oMqW6GFaVe26 START
10 2019-12-20 11:14:08.252 Ieh_KV2UcC5oMqW6GFaVe26 START
11 2019-12-20 11:14:08.913 Ieh_KV2UcC5oMqW6GFaVe26 END"
| multikv forceheader=1
| eval _time=strptime(time,"%F %T.%q")
| table _time SID REQUEST
| rename COMMENT AS "this is sample data you provide")
| rename COMMENT AS "From here, the logic"
| streamstats count(eval(REQUEST="START")) as session
| stats earliest(_time) as start latest(_time) as end range(_time) as duration count(session) as flag by session SID
| eval start=strftime(start,"%F %T.%3q"), end=strftime(end,"%F %T.%3q")
| where flag > 1
| table SID start end duration
If the volume of logs is large and transaction is heavy, try this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response, solution provided is appropriate, appreciate your supports
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, @saikumarkomati
Please accept the answer and close question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
Try something like
|transaction SID startswith=START endswith=END
the duration is the time difference
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
