Hello friends,
Say I have two index events that return string messages such as:
SCHEDULE - SUCCESS - Time: 05:12:02
AUTH - SUCCESS - Time: 05:14:01
Here are the example events:
EVENT 1 -
{
"cf_app_id":"345345345345",
"cf_app_name":"my-app-services",
"job_index":"b4853c36-6ecd-4902-9eb6xxxxxxxxx",
"message_type":"OUT",
"msg":{
"component":"MyApp",
"device":"iPhone",
"deviceID":"3534534534534",
"level":"INFO",
"levelindicator":"✏️",
"message":"SCHEDULE - SUCCESS - Time: 05:12:02",
"osversion":"12.0.1",
"platform":"iOS",
"reference":"Logger.swift|info|31",
"sessionID":"234234234234",
"username":"N/A",
"version":"5.1.0"
},
"origin":"rep",
"source_instance":"0",
"source_type":"APP/PROC/WEB",
"timestamp":1549302723595711849
}
EVENT 2 -
{
"cf_app_id":"34534534532",
"cf_app_name":"my-app-services",
"job_index":"b4853c36-6ecd-4902-9eb6zzzzzzz",
"message_type":"OUT",
"msg":{
"component":"MyApp",
"device":"iPhone",
"deviceID":"345435345345",
"level":"INFO",
"levelindicator":"✏️",
"message":"AUTH - SUCCESS - Time: 05:14:01",
"osversion":"12.0.1",
"platform":"iOS",
"reference":"Logger.swift|info|31",
"sessionID":"6456464564",
"username":"N/A",
"version":"5.1.0"
},
"origin":"rep",
"source_instance":"0",
"source_type":"APP/PROC/WEB",
"timestamp":567567567567
}
The logic here is, Splunk is reporting a successful SCHEDULE service call and adding a JS timestamp from Date() to "msg.message". Then comes an AUTHORIZATION success call a couple minutes later and does the same thing with a Date() timestamp to "msg.message".
What I want to do:
I want to take the timestamps out of each like so:
05:14:01 and 05:12:02 and then subtract those to find the difference of 2:01. Then create a panel that shows all comparisons like that which are over 1 minute in duration.
Is this even possible? What kind of search param would I use to find the substring with Splunk and find the time difference which creates my panel? I hope this is clear in what I am trying to do. Should I use compare?
Thank you!
... View more