How to edit my search to get expected output

sridharreddy · ‎07-20-2016

EVENT1) 20160718T164839.608 GMT INFO MESSAGE=" RES" SNAME="ABCD" ACCNO="123456"
EVENT2) 20160718T164831.111 GMT INFO MESSAGE=" REQ" SNAME="ABCD" ACCNO="123456"

EVENT3) 20160718T164822.076 GMT INFO MESSAGE=" RES" SNAME="ABCD" ACCNO="123456"
EVENT4) 20160718T164816.622 GMT INFO MESSAGE=" RES" SNAME="ABCD" ACCNO="765432"
EVENT5) 20160718T164810.655 GMT INFO MESSAGE=" REQ" SNAME="ABCD" ACCNO="123456"
EVENT6) 20160718T164802.646 GMT INFO MESSAGE=" REQ" SNAME="ABCD" ACCNO="765432"

Hi Folks,

I have a issue in splunk picking up the correct REQ and RES times in this events.

ACCNO:123456 event1(RES)-event2(REQ) =20160718T164839.608-20160718T164831.111= 8.***

ACCNO:123456 event3(RES)-event5(REQ) =20160718T164822.076-20160718T164810.655=12.***

ACCNO:765432 event4(RES)-event6(REQ) =20160718T164816.622-20160718T164802.646=14.***

My expected output:

ACCNO DURATION
123456 8. (some milli sec)
123456 12.(some milli sec)
765432 14.(some milli sec)

My current output (it is wrong scrab):
ACCNO DURATION
123456 8.497000

765432
123456 5.967000

765432

123456 19.430000

QUERY:

index=* sourcetype=* SNAME="ABCD" ACCNO=123456 OR ACCNO=765432 MESSAGE=REQ OR MESSAGE=RES| rex "(?\d{8}T\d{6}.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") | transaction SNAME startswith="REQ" endswith="RES" | eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0)) | table ACCNO, duration,

Thanks
-venkata Sridhar

sundareshr · ‎07-21-2016

Try this

index= sourcetype= SNAME="ABCD" ACCNO=123456 OR ACCNO=765432 MESSAGE=REQ OR MESSAGE=RES | reverse | streamstats count by SNAME MESSAGE | stats earliest(_time) as start latest(_time) as end by count | eval duration = end-start

How to edit my search to get expected output

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...