https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96205#M20038 <P>Hi,</P> <P>I am new to Splunk, so if this is a stupid question - forgive me! <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>I want to calculate the duration between two Windows EventCodes to determine how long server restarts take across the organisation.</P> <P>The problem is that i don't have any unique field between the events to do the transaction on.</P> <P>These are the two events:</P> <H1>SERVER SHUTDOWN INITIATED</H1> <P>11/24/10 11:47:12 AM LogName=System SourceName=EventLog EventCode=6006 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14339 Message=The Event log service was stopped.</P> <H1>SERVER RESTARTED AND ONLINE</H1> <P>11/24/10 11:49:38 AM LogName=System SourceName=EventLog EventCode=6005 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14341 Message=The Event log service was started.</P> <P>I tried to do the transaction on the EventCode fields, this works to an extend but not 100% as it creates transaction across multiple servers. A workaround to this is to use the maxspan field. But sometimes the servers takes a long time to come online again making the use of maxspan difficult. I also tried using the RecordNumber field as the RecordNumber between normal shutdown and startups would be RecordNumber for shutdowns and RecordNumber+2 for startups.</P> <P>Any ideas?</P> Tue, 30 Nov 2010 19:22:22 GMT lohans 2010-11-30T19:22:22Z https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96205#M20038 <P>Hi,</P> <P>I am new to Splunk, so if this is a stupid question - forgive me! <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>I want to calculate the duration between two Windows EventCodes to determine how long server restarts take across the organisation.</P> <P>The problem is that i don't have any unique field between the events to do the transaction on.</P> <P>These are the two events:</P> <H1>SERVER SHUTDOWN INITIATED</H1> <P>11/24/10 11:47:12 AM LogName=System SourceName=EventLog EventCode=6006 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14339 Message=The Event log service was stopped.</P> <H1>SERVER RESTARTED AND ONLINE</H1> <P>11/24/10 11:49:38 AM LogName=System SourceName=EventLog EventCode=6005 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14341 Message=The Event log service was started.</P> <P>I tried to do the transaction on the EventCode fields, this works to an extend but not 100% as it creates transaction across multiple servers. A workaround to this is to use the maxspan field. But sometimes the servers takes a long time to come online again making the use of maxspan difficult. I also tried using the RecordNumber field as the RecordNumber between normal shutdown and startups would be RecordNumber for shutdowns and RecordNumber+2 for startups.</P> <P>Any ideas?</P> Tue, 30 Nov 2010 19:22:22 GMT https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96205#M20038 lohans 2010-11-30T19:22:22Z https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96206#M20039 <P>You can create a "transaction" on the host field and by specifying a starts-with and ends-with condition, you should get the desired results:</P> <PRE><CODE>sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) | transaction host startswith="EventCode=6006" endswith="EventCode=6005" | eval restart_duration=tostring(duration,"duration") | table _time host restart_duration </CODE></PRE> Tue, 30 Nov 2010 19:51:05 GMT https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96206#M20039 ziegfried 2010-11-30T19:51:05Z https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96207#M20040 <P>Thx a million! Exactly what i needed!</P> Tue, 30 Nov 2010 21:05:45 GMT https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96207#M20040 lohans 2010-11-30T21:05:45Z https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96208#M20041 <P>Just one more question - why would the restart duration be displayed like this for some hosts? 378+14:52:21</P> Tue, 30 Nov 2010 21:09:18 GMT https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96208#M20041 lohans 2010-11-30T21:09:18Z https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96209#M20042 <P>Seems like 378 days... You can take a look at those found transactions by removing the eval and the table command and looking at long durations by appending | where duration&gt;86400. It probably because of missing events or incorrectly parsed timestamps or something like that. Please accept the answer, if it was helpful.</P> Tue, 30 Nov 2010 21:36:52 GMT https://community.splunk.com/t5/Getting-Data-In/Calculate-duration-between-Windows-EventCodes/m-p/96209#M20042 ziegfried 2010-11-30T21:36:52Z