https://community.splunk.com/t5/Deployment-Architecture/Using-clustering-to-calculate-start-and-end-of-a-process/m-p/256151#M9709 <P>Hi all</P> <P>I have some events which represent something like a ping.</P> <P>For example :<BR /> _time: a time stamp<BR /> doing it: 1<BR /> database: db1<BR /> server: server1</P> <P>so i get something like this:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2374i1AD8D8778854962C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>the color represent the DB.<BR /> Now, what i need to do is to write a query which understands that there are 2 groups of events for the violet db and that gives me that _time of the first event and the rime od the last event of every group, like in the next image.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2375i9E7F281F6A13294B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span> </P> <P>I think this can be achieved using clustering, just i dont know how (maybe with k means method).</P> <P>Can you help me?</P> Fri, 27 Jan 2017 15:42:53 GMT andreafebbo 2017-01-27T15:42:53Z https://community.splunk.com/t5/Deployment-Architecture/Using-clustering-to-calculate-start-and-end-of-a-process/m-p/256151#M9709 <P>Hi all</P> <P>I have some events which represent something like a ping.</P> <P>For example :<BR /> _time: a time stamp<BR /> doing it: 1<BR /> database: db1<BR /> server: server1</P> <P>so i get something like this:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2374i1AD8D8778854962C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>the color represent the DB.<BR /> Now, what i need to do is to write a query which understands that there are 2 groups of events for the violet db and that gives me that _time of the first event and the rime od the last event of every group, like in the next image.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2375i9E7F281F6A13294B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span> </P> <P>I think this can be achieved using clustering, just i dont know how (maybe with k means method).</P> <P>Can you help me?</P> Fri, 27 Jan 2017 15:42:53 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-clustering-to-calculate-start-and-end-of-a-process/m-p/256151#M9709 andreafebbo 2017-01-27T15:42:53Z https://community.splunk.com/t5/Deployment-Architecture/Using-clustering-to-calculate-start-and-end-of-a-process/m-p/256152#M9710 <P>Give transaction command a try.</P> <PRE><CODE>your base search | transaction database server | eval start=_time | eval end=_time+duration </CODE></PRE> Fri, 27 Jan 2017 15:49:35 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-clustering-to-calculate-start-and-end-of-a-process/m-p/256152#M9710 somesoni2 2017-01-27T15:49:35Z https://community.splunk.com/t5/Deployment-Architecture/Using-clustering-to-calculate-start-and-end-of-a-process/m-p/256153#M9711 <P>Like this:</P> <PRE><CODE>... | transaction max_pause=5m database server | eval start = _time, end = _time + duration </CODE></PRE> Sun, 05 Mar 2017 05:29:52 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-clustering-to-calculate-start-and-end-of-a-process/m-p/256153#M9711 woodcock 2017-03-05T05:29:52Z