Refine your search:

Finding the _time difference between two subsearches

0

I'm unable to get this search to output anything except the _time of the first search:

|set diff [ search index="collect" host="app*" | regex _raw="backgroundWorkerLoad\w+Completed(?!\sEND)" | dedup source | rename _time AS time_one ] [ search index="collect" host="app*" | regex _raw="backgroundWorkerLoad\w+Completed\sEND" | dedup source | rename _time AS time_two ] | convert timeformat="%H:%M:%S" ctime(time_one) ctime(time_two) | eval duration=time_two-time_one | table source time_one time_two duration

anyway it's a logfile that timestamps when the backgroundworker sub starts a routine followed by another entry where it ENDs. It happens multiple times per source so dedup being used in this way probably isn't the best idea. There are many difference sources being indexed each with a unique name. Is this the way to do this? Thanks in advance.

asked 23 May '12, 14:51

nelsonb's gravatar image

nelsonb
103
accept rate: 0%

One Answer:
oldestnewestmost voted
2 
index=collect host=app* "backgroundWorkLoad Completed" 
| stats range(_time) as duration earliest(_time) as time_one latest(_time) as time_two by source

will probably get you the right results efficiently. Otherwise:

index=collect host=app* "backgroundWorkLoad Completed"
| eval time_one=if(match(_raw, "backgroundWorkerLoad\w+Completed(?!\sEND)"),_time,null()
| eval time_two=if(match(_raw, "backgroundWorkerLoad\w+Completed\sEND"),_time,null())
| stats earliest(time_one) as time_one latest(time_two) as time_two by source 
| eval duration=time_two-time_one

should get you the same as what you appear to intend.

link

answered 23 May '12, 17:09

gkanapathy's gravatar image

gkanapathy ♦
32.3k4827
accept rate: 41%

The first search worked great, but the results scared me. Thanks for the help. I was definitely making it more complicated than I should have.

(25 May '12, 11:42) nelsonb

The one problem with doing the stat by source though is that it's only returning one result by source. Each source has several hundred occurences of these pairs of events happening. Is there some other way to sort the returns? I'm trying a few variations.

(25 May '12, 12:36) nelsonb

Okay, then you need to use the transaction command, which automatically calculates duration. Something like: 

index=collect host=app* "backgroundWorkLoad Completed" | transaction source startswith=("backgroundWorkLoad Completed NOT END") endswith=("backgroundworkerload Completed END") maxevents=2 | table source duration

might work.

(25 May '12, 16:42) gkanapathy ♦

This returned all the results I was looking for. Thanks!

(29 May '12, 10:53) nelsonb
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×156
×28
×27
×23
×8

Asked: 23 May '12, 14:51

Seen: 670 times

Last updated: 29 May '12, 10:53

Related questions

Calculate time between two different events

finding difference between two dates

Transaction after stats/table/eval/where?

Count of set diff from previous bucket

Calculate difference between TIME in host x and TIME in host y

_time set to GMT + 1:00

_time not being set properly during indexing

difference between the current duration and avg duration

Move _time column

Copyright © 2005-2012 Splunk Inc. All rights reserved.