Splunk - duration between two different messages by guid

Question

Splunk:

{   [-] 
     guid:  ABC
     level:  warn   
     message:    Analytics Audit: analyticsLoaded   
     source:     client 
     timestamp:  2017-08-07T16:38:38+00:00   }


{   [-] 
     guid: BAC
     level:  warn   
     message:    Analytics Audit: doneWithAnalytics 
     source:     client 
     timestamp:  2017-08-07T16:38:38+00:00   }

These messages show up for each guid. I would like to get duration between the first mesage " Analytics Audit: analyticsLoaded" showing up and the second message "Analytics Audit: doneWithAnalytics" by guid. And get the average duration for both messages showing up after the two messages to a guid.

Do basically, get the duration per guid. Get the average duration.

How can I do that in splunk?

Answer 1

Try this

index=blah | transaction guid startswith="analyticsLoaded" endswith="doneWithAnalytics" | timechart avg(duration)