Splunk time calculation issues

Question

I have a requirement like this:

• calculate the acknowledgement SLA - should be within 2 hours
• calculate Response SLA - Should be before next business day 9 AM.

I would like to understand the logic to calculate how many transactions missed ack SLA and response SLA.

Suppose, if I submit the request at 3 PM today, how I can calculate the ACK should be before 5 PM today and response should be before 9 AM.

Transaction submitted time-- 22-Aug-2019 12:00 
Transaction acknowledge time-- 22-Aug-2019 13:00 
response sent at - 22-Aug-2019 19:00

so we have to consider the above transaction as success.

Transaction submitted time-- 22-Aug-2019 12:00 
Transaction acknowledge time-- 22-Aug-2019 13:00 
response sent at - 23-Aug-2019 19:00

in this case, response sla breached and count as failure.

Answer 1

It's not clear from the question if the 3 times are in separate events or a single event. If the former then there needs to be a way to link the events of a transaction. Assuming they've been collected into a single transaction, here's how to compare timestamps.

The first step is to extract the time strings and convert them into epoch form.

| rex "submitted time-- (?<submittedTime>\d\d-\w+-\d{4} \d\d:\d\d)"
| rex "acknowledge time-- (?<acknowledgeTime>\d\d-\w+-\d{4} \d\d:\d\d)"
| rex "response sent at - (?<responseTime>\d\d-\w+-\d{4} \d\d:\d\d)"
| eval submit = strptime(submittedTime, "%d-%b-%Y %H:%M")
| eval ack = strptime(acknowledgeTime, "%d-%b-%Y %H:%M")
| eval response = strptime(responseTime, "%d-%b-%Y %H:%M")

Once you have the epoch timestamp, you can compare it to your SLA requirements. For example,

| eval ackSLAmet = if(ack - submit < 7200, 1, 0)
| eval respSLAmet = if(response - submit < (3600 * 18), 1, 0)