https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483104#M135286 <PRE><CODE>DESCRIPTION="sump pump" OR (DESCRIPTION="ejector pump" AND DESCRIPTION="run/stop") | eval TIMEONLY =strptime(CREATEDATETIME ,"%m/%d/%Y %T %p") | eventstats range(TIMEONLY) as duration by DESCRIPTION | eval duration=tostring(duration,"duration") </CODE></PRE> Wed, 26 Feb 2020 22:26:20 GMT to4kawa 2020-02-26T22:26:20Z https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483102#M135284 <P>my search query is this:</P> <P>DESCRIPTION="<EM>sump pump</EM>" OR (DESCRIPTION="<EM>ejector pump</EM>" AND DESCRIPTION="<EM>run/stop</EM>") | rex field=CREATEDATETIME "2019+ (?[^,]+)" | rex field=CREATEDATETIME "(?[^\s]+)" | rex field=TIMEONLY "(?.<EM>):(?.</EM>):(?.<EM>)\s(?.</EM>)" | eval TIMEONLY = Hour*3600 + Minute*60 + Second| eval AM=case(AM="AM","0",AM="PM","43200")|eval TIMEONLY=TIMEONLY+AM| sort by !TIMEONLY |transaction DESCRIPTION startswith=VALUE="RUN" endswith=VALUE="STOP"</P> <P>result i get from search:<BR /> <IMG src="https://community.splunk.com/storage/temp/284585-splunk.jpg" alt="alt text" /></P> <P>i have created a field for the TIMEONLY , i am stuck with getting the duration of the time between the run and stop time, what can i do such that i am able to subtract my run and stop time to get the active time duration .</P> Wed, 30 Sep 2020 04:24:52 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483102#M135284 chookp 2020-09-30T04:24:52Z https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483103#M135285 <P>HI @chookp,<BR /> the duration field that's displayed if there the transaction command isn't useful for you?</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 26 Feb 2020 13:47:57 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483103#M135285 gcusello 2020-02-26T13:47:57Z https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483104#M135286 <PRE><CODE>DESCRIPTION="sump pump" OR (DESCRIPTION="ejector pump" AND DESCRIPTION="run/stop") | eval TIMEONLY =strptime(CREATEDATETIME ,"%m/%d/%Y %T %p") | eventstats range(TIMEONLY) as duration by DESCRIPTION | eval duration=tostring(duration,"duration") </CODE></PRE> Wed, 26 Feb 2020 22:26:20 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483104#M135286 to4kawa 2020-02-26T22:26:20Z https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483105#M135287 <P>the transaction command is useful to me, but the info i need to lacking, when i use the transaction there is multi value of TIMEONLY , i just need to subtract both my TIMEONLY to get my active duration. this is the part which i am stuck</P> Thu, 27 Feb 2020 00:27:57 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483105#M135287 chookp 2020-02-27T00:27:57Z https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483106#M135288 <P>hi i am sorry as i am new to splunk i am not sure eval |TIMEONLY =strptime(CREATEDATETIME ,"%m/%d/%Y %T %p") | eventstats range(TIMEONLY) as duration by DESCRIPTION | eval duration=tostring(duration,"duration") able to break down the meaning i had try to use the command but did not get the answer i expected.</P> Thu, 27 Feb 2020 06:03:38 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483106#M135288 chookp 2020-02-27T06:03:38Z https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483107#M135289 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Commontimeformatvariables">strptime</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Eventstats">eventstats</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Aggregatefunctions">range</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/ConversionFunctions">tostring</A></P> Thu, 27 Feb 2020 08:37:40 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483107#M135289 to4kawa 2020-02-27T08:37:40Z https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483108#M135290 <P>CREATEDATETIME is format <CODE>"%m/%d/%Y %T %p"</CODE><BR /> <CODE>strptime</CODE> makes epoch time to duration.<BR /> <CODE>eventstats range</CODE> aggregates duration between <EM>run and stop</EM><BR /> <CODE>tostring</CODE> change duration to readable.</P> Thu, 27 Feb 2020 08:45:46 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-my-duration-from-transaction/m-p/483108#M135290 to4kawa 2020-02-27T08:45:46Z