https://community.splunk.com/t5/Splunk-Search/How-to-get-quot-duration-quot-without-use-transaction/m-p/193885#M55880 <P>Hi pisc,</P> <P>you can use <A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Streamstats"><CODE>streamstats</CODE></A> like this:</P> <PRE><CODE>yourBaseSearchHere | streamstats current=false last(STATUS) as last_status last(_time) as time_of_change by ID | where STATUS!=last_status | eval duration=now()-time_of_change | eval duration=strftime(duration, "%H:%M") | table _time, HOSTNAME, ID, duration </CODE></PRE> <P>this is un-tested since I'm missing the real events, so maybe you will need to adapt some things to match your needs.</P> <P>hope this helps ...</P> <P>cheers, MuS</P> Tue, 10 Jun 2014 11:06:47 GMT MuS 2014-06-10T11:06:47Z https://community.splunk.com/t5/Splunk-Search/How-to-get-quot-duration-quot-without-use-transaction/m-p/193884#M55879 <P>transaction関数を使用すれば、グルーピングしたログの間隔（duration）を取得出来ますが、transactionを使用しない場合のduration取得方法をご教授頂けますでしょうか。</P> <P>下記のログを用いてPCの操作時間のユーザごとの総計を取得したいと思っています。</P> <P>user01の場合は23:00～23:30で使用時間が30minになりますが、user02の場合、Startの次はuser03によるPC02の使用ということで、23:10～23:35で25minになります。</P> <P>transactionを使用し、startswith=Start、endswith=Endとした場合は、上記のuser02のEndがない為、グルーピングがうまくいきません。</P> <P>この場合のdurationの取得方法、またはtransactionをうまく活用できないか、ご教授頂けますでしょうか。</P> <BLOCKQUOTE> <P>DATE | ID | HOSTNAME | STATUS</P> <P>14/05/31 23:00 | user01 | PC01 | Start</P> <P>14/05/31 23:10 | user02 | PC02 | Start</P> <P>14/05/31 23:30 | user01 | PC01 | End</P> <P>14/05/31 23:35 | user03 | PC02 | Start</P> <P>14/05/31 23:50 | user03 | PC02 | End</P> </BLOCKQUOTE> <HR /> <P>以下、情報が不足してましたので追記します。</P> <P>STATUSカラムには「Timeout」というログが存在します。</P> <BLOCKQUOTE> <P>DATE | ID | HOSTNAME | STATUS</P> <P>14/05/31 23:35 | user03 | PC02 | Start</P> <P>14/05/31 23:50 | | PC02 | Timeout</P> <P>14/05/31 23:55 | user04 | PC02 | Start</P> <P>14/05/31 23:59 | user04 | PC02 | End</P> </BLOCKQUOTE> <P>Timeoutログがある場合は、IDは空欄です。<BR /> この場合、user03は23:35～23:50の使用時間になります。</P> <P>こういったログを1か月分集計し、HOSTNAMEごとの使用時間、IDごとの使用時間を集計したいと考えています。</P> Tue, 10 Jun 2014 07:40:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-quot-duration-quot-without-use-transaction/m-p/193884#M55879 pisc 2014-06-10T07:40:29Z https://community.splunk.com/t5/Splunk-Search/How-to-get-quot-duration-quot-without-use-transaction/m-p/193885#M55880 <P>Hi pisc,</P> <P>you can use <A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Streamstats"><CODE>streamstats</CODE></A> like this:</P> <PRE><CODE>yourBaseSearchHere | streamstats current=false last(STATUS) as last_status last(_time) as time_of_change by ID | where STATUS!=last_status | eval duration=now()-time_of_change | eval duration=strftime(duration, "%H:%M") | table _time, HOSTNAME, ID, duration </CODE></PRE> <P>this is un-tested since I'm missing the real events, so maybe you will need to adapt some things to match your needs.</P> <P>hope this helps ...</P> <P>cheers, MuS</P> Tue, 10 Jun 2014 11:06:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-quot-duration-quot-without-use-transaction/m-p/193885#M55880 MuS 2014-06-10T11:06:47Z https://community.splunk.com/t5/Splunk-Search/How-to-get-quot-duration-quot-without-use-transaction/m-p/193886#M55881 <P>Thank you for your comments.<BR /> ..Sorry for not explaining enough.</P> <P>"STATUS" column is included "Timeout" log.</P> <BLOCKQUOTE> <P>DATE | ID | HOSTNAME | STATUS<BR /> 14/05/31 23:35 | user03 | PC02 | Start<BR /> 14/05/31 23:50 | | PC02 | Timeout<BR /> 14/05/31 23:55 | user04 | PC02 | Start<BR /> 14/05/31 23:59 | user04 | PC02 | End</P> </BLOCKQUOTE> <P>ID is not included in the log "Timeout".</P> <P>in this case, the use of time user03, until 23:50 there is a Timeout log from "STRAT" 23:35.</P> <P>I want to measure the PC usage time of each user in this case.</P> <P>I'm sorry for my clumsy English.<BR /> It would be extremely helpful if you could tell me that.</P> <P>pisc</P> Wed, 11 Jun 2014 01:34:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-quot-duration-quot-without-use-transaction/m-p/193886#M55881 pisc 2014-06-11T01:34:13Z https://community.splunk.com/t5/Splunk-Search/How-to-get-quot-duration-quot-without-use-transaction/m-p/193887#M55882 <P>try something like this:</P> <PRE><CODE>yourBaseSearchHere | streamstats current=false last(STATUS) as last_status last(_time) as time_of_change by HOSTNAME | where STATUS="Start" ( last_status="Timeout" OR last_status="End" ) | eval duration=now()-time_of_change | eval duration=strftime(duration, "%H:%M") | table _time, HOSTNAME, ID, duration </CODE></PRE> <P>this will group your events by HOSTNAME and calculates the duration. The table will display the date, HOSTNAME, ID (if available) and the duration.</P> <P>hope this make sense</P> Wed, 11 Jun 2014 07:27:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-quot-duration-quot-without-use-transaction/m-p/193887#M55882 MuS 2014-06-11T07:27:07Z