https://community.splunk.com/t5/Dashboards-Visualizations/How-to-capture-start-and-End-time-interval-for-a-particular-file/m-p/656028#M54036 <P>transaction command is not a good command to use for long transactions if you have a reasonable volume of data, as it will silently run out of memory and your results will be incomplete/wrong.</P><P>It is often better to use stats, e.g.</P><LI-CODE lang="markup">| stats min(_time) as Start max(_time) as Finish by CARS_ID | eval duration=Finish-Start</LI-CODE><P>or if you have lots of events for the same ID that come before and after you could do</P><LI-CODE lang="markup">| stats min(eval(if(match(_raw, "Reading Control-File"), _time, null))) as Start max(eval(if(match(_raw, "Completed Settlement file processing"), _time, null))) as Finish by CARS_ID</LI-CODE><P>but it will depend on your events - but this will be reliable</P> Tue, 29 Aug 2023 23:28:30 GMT bowesmana 2023-08-29T23:28:30Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-capture-start-and-End-time-interval-for-a-particular-file/m-p/656010#M54034 <P>Hi Team,</P><P>I have one file CARS.HIERCTR for which I want to capture START and END DURATION</P><P>I am using below query:</P><P>ndex="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 | rex "\[(?&lt;thread&gt;Thread[^\]]+)\]" | transaction thread startswith="Reading Control-File /absin/CARS.HIERCTR." endswith="Completed Settlement file processing, CARS.HIER." | table duration</P><P>But I am not getting any result</P><P>Can someone guide me</P><P>Starting Logger -&nbsp;<SPAN class="">2023-08-29</SPAN> <SPAN class="">00:26:20.256</SPAN><SPAN> [</SPAN><SPAN class="">INFO</SPAN><SPAN> ] [</SPAN><SPAN class="">pool-3-thread-1</SPAN><SPAN>] </SPAN><SPAN class=""><SPAN class="">ReadControlFileImpl</SPAN> <SPAN class="">-</SPAN> <SPAN class="">Reading</SPAN> <SPAN class="">Control-File</SPAN> <SPAN class="">/absin/CARS.HIERCTR</SPAN>.</SPAN><SPAN class="">D082823</SPAN><SPAN>.</SPAN><SPAN class="">T001819</SPAN></P><P>Ending logger -&nbsp;<SPAN class="">2023-08-29</SPAN> <SPAN class="">02:18:33.064</SPAN><SPAN> [</SPAN><SPAN class="">INFO</SPAN><SPAN> ] [</SPAN><SPAN class="">Thread-34</SPAN><SPAN>] </SPAN><SPAN class="">FileEventCreator</SPAN> <SPAN class="">-</SPAN> <SPAN class=""><SPAN class="">Completed</SPAN> <SPAN class="">Settlement</SPAN> <SPAN class="">file</SPAN> <SPAN class="">processing</SPAN>, <SPAN class="">CARS.HIER</SPAN>.</SPAN><SPAN class="">D082823</SPAN><SPAN>.</SPAN><SPAN class="">T020913</SPAN> <SPAN class="">records</SPAN> <SPAN class="">processed:</SPAN> <SPAN class="">135959</SPAN></P><P><SPAN class="">PLEASE GUIDE.</SPAN></P> Tue, 29 Aug 2023 20:23:00 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-capture-start-and-End-time-interval-for-a-particular-file/m-p/656010#M54034 aditsss 2023-08-29T20:23:00Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-capture-start-and-End-time-interval-for-a-particular-file/m-p/656027#M54035 <P>Your Thread value is not extracted in the first data line and even if it was, it has a different value to the ending line. The first has 'thread-1' and the second Thread-34 although the first is actually pool-3-thread-1</P><P>Can you not use the D082823 ID in the CARS file description, e.g.</P><LI-CODE lang="markup">| rex "CARS\.HIER(CTR)?\.(?&lt;CARS_ID&gt;\w+)" | transaction CARS_ID startswith="Reading Control-File /absin/CARS.HIERCTR." endswith="Completed Settlement file processing, CARS.HIER." | table duration</LI-CODE> Tue, 29 Aug 2023 23:23:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-capture-start-and-End-time-interval-for-a-particular-file/m-p/656027#M54035 bowesmana 2023-08-29T23:23:52Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-capture-start-and-End-time-interval-for-a-particular-file/m-p/656028#M54036 <P>transaction command is not a good command to use for long transactions if you have a reasonable volume of data, as it will silently run out of memory and your results will be incomplete/wrong.</P><P>It is often better to use stats, e.g.</P><LI-CODE lang="markup">| stats min(_time) as Start max(_time) as Finish by CARS_ID | eval duration=Finish-Start</LI-CODE><P>or if you have lots of events for the same ID that come before and after you could do</P><LI-CODE lang="markup">| stats min(eval(if(match(_raw, "Reading Control-File"), _time, null))) as Start max(eval(if(match(_raw, "Completed Settlement file processing"), _time, null))) as Finish by CARS_ID</LI-CODE><P>but it will depend on your events - but this will be reliable</P> Tue, 29 Aug 2023 23:28:30 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-capture-start-and-End-time-interval-for-a-particular-file/m-p/656028#M54036 bowesmana 2023-08-29T23:28:30Z