You might want to know when the duration of a payment response far exceeds the average when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- Business service data for payment processing
Knowing which responses took the longest in terms of duration to process is important to meet SLAs. Payments that take too long to process may be subject to fines and cause customer dissatisfaction.
To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source.
- Run the following search:
|sourcetype=<payment processing data> |eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S") |sort _time |stats count values(customer) AS customer values(amount) AS amount values(_time) AS _time first(epoch) AS first last(epoch) AS last BY sessionID |where count>1 |eval duration=last-first |eventstats avg(duration) AS avgdur stdev(duration) AS stdev |where duration>(avgdur+(2*stdev)) |fields - first last count _time |sort - duration |table sessionID customer amount duration avgdur stdev |eval amount=tostring(round(amount, 2),"commas")
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||sourcetype=<payment processing data>||Search only your payment processing data.|
||eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")||Parse the time stamp into a UNIX time value.|
||sort _time||Sort the results from newest to oldest.|
||stats count values(customer) AS customer values(amount) AS amount values(_time) AS _time first(epoch) AS first last(epoch) AS last BY sessionID||Display the customers, amounts, and times of the payment request and response. Then group the payments by their unique identifier.|
||where count>1||Filter results to those where the count is greater than 1.|
||eval duration=last-first||Create a duration field that is equal to the last minus first time.|
||eventstats avg(duration) AS avgdur stdev(duration) AS stdev||Find the average duration and standard deviation for payment responses.|
||where duration>(avgdur+(2*stdev))||Filter the results to those that are greater than the average duration plus 2 standard deviations.|
||fields - first last count _time||Remove the fields shown from the results.|
||sort - duration||Sort the results from oldest to newest.|
||table sessionID customer amount duration avgdur stdev||Display the results in a table with columns in the order shown.|
||eval amount=tostring(round(amount, 2),"commas")||Convert the amount to a string rounded to two values, using a comma when needed.|
After learning what response times are high outliers, you can report on these, as they may fail your service level agreements. Further investigation is needed to find out if there is a reason for the SLA miss.