If I do index=whatever , I get something that looks like this:
2017-05-24T13:46:08Z|pegawifiview1495761514|8501114746901|G67BW48BD601389|None|viewDeviceWiFiNetworks_getResult|{"transactionid": "pegawifiview1495761514", "ticketid": 53400535}|{"request": {"method": "viewDeviceWiFiNetworks_getResult", "arguments": {"transactionid": "pegawifiview1495761514", "ticketid": 53400535}}, "response": {"status_code": "200", "status_message": "OK", "ticket_id": "" .......
There are many events, and some with the same ticketid .
What I need to do is this: for each ticketid , determine how much time passed between each step.
For example, if I put a particular ticketid in the search field, I get the following two events:
2017-05-24T13:46:08Z|2017-05-24 13:45:59.921|1001000175904|b01041e6fafe|None|viewDeviceConnectedClients_getResult|{"transactionid": "2017-05-24 13:45:59.921", "ticketid": 53400657}|{"request": {"method": "viewDeviceConnectedClients_getResult", "arguments": {"transactionid": "2017-05-24 13:45:59.921", "ticketid": 53400657}}, "response": {"status_code": "200", "status_message": "OK", "ticket_id": "", "result": [{"macAddress": "2C:AE:2B:49:C2:86", "percentBWUtilization": "0", "signalStrength": -39, "connectedIdentifier": "2CAE2B49C286", "connectionType": "802.11", "activeDevice": 1, "deviceType": "Samsung Electronics Co.,Ltd", "networkIdentifier": "32", "deviceName": "android-9b9a1ce0ea0aeff1", "ipAddress": "192.168.0.28"}, {"macAddress": "24:0D:C2:AA:F5:BF", "percentBWUtilization": "0", "signalStrength": -59, "connectedIdentifier": "240DC2AAF5BF", "connectionType": "802.11", "activeDevice": 1, "deviceType": "", "networkIdentifier": "32", "deviceName": "android-2315ceb08818ecac", "ipAddress": "192.168.0.27"}, {"macAddress": "B0:10:41:E6:FB:00", "percentBWUtilization": "0", "signalStrength": 1, "connectedIdentifier": "B01041E6FB00", "connectionType": "Ethernet", "activeDevice": 0, "deviceType": "Hon Hai Precision Ind. Co.,Ltd.", "networkIdentifier": 0, "deviceName": "", "ipAddress": "192.168.0.10"}, {"macAddress": "24:0D:C2:F2:3C:FD", "percentBWUtilization": "0", "signalStrength": -41, "connectedIdentifier": "240DC2F23CFD", "connectionType": "802.11", "activeDevice": 1, "deviceType": "", "networkIdentifier": "32", "deviceName": "android-99f3d41f675c5616", "ipAddress": "192.168.0.26"}]}}
2017-05-24T13:46:00Z|2017-05-24 13:45:59.921|1001000175904|b01041e6fafe|None|viewDeviceConnectedClients|{"transactionid": "2017-05-24 13:45:59.921", "singleCPEidentifier": {"cpeid": "b01041e6fafe"}}|{"request": {"method": "viewDeviceConnectedClients", "arguments": {"transactionid": "2017-05-24 13:45:59.921", "singleCPEidentifier": {"cpeid": "b01041e6fafe"}}}, "response": {"status_code": "200", "status_message": "OK", "ticket_id": "53400657", "result": ""}}
I can see from the timestamps that it took 8 seconds.
And there may be more than 2 events for a given ticket ID. So I would need the total time. And I need it for every ticket ID in a general search.
I am new to splunk and I have no idea how to do this. I have been searching and trying some things, but I am pretty lost. Any help would be appreciated.
... View more