The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you understand when the duration of a payment response far exceeded the average. For more information, review the use case monitoring payment responses.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
||sourcetype=<payment processing data>||Search only your payment processing data.|
||eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")||Parse the time stamp into a UNIX time value.|
||sort _time||Sort the results from newest to oldest.|
||stats count values(customer) AS customer values(amount) AS amount values(_time) AS _time first(epoch) AS first last(epoch) AS last BY sessionID||Display the customers, amounts, and times of the payment request and response. Then group the payments by their unique identifier.|
||where count>1||Filter results to those where the count is greater than 1.|
||eval duration=last-first||Create a duration field that is equal to the last minus first time.|
||eventstats avg(duration) AS avgdur stdev(duration) AS stdev||Find the average duration and standard deviation for payment responses.|
||where duration>(avgdur+(2*stdev))||Filter the results to those that are greater than the average duration plus 2 standard deviations.|
||fields - first last count _time||Remove the fields shown from the results.|
||sort - duration||Sort the results from oldest to newest.|
||table sessionID customer amount duration avgdur stdev||Display the results in a table with columns in the order shown.|
||eval amount=tostring(round(amount, 2),"commas")||Convert the amount to a string rounded to two values, using a comma when needed.|