Archive

I am trying to write a query that displays how long an application has been running? So far I have the following string.

New Member

host="server" EventCode=4688 OR EventCode=469 | transaction NewProcessName startswith=(EventCode=4688) endswith=(EventCode=4689) | where duration > 1 | search NewProcessName="extend.exe" NewProcessName="excel.exe"

Tags (1)
0 Karma

Explorer

Were you ever able to improve the speed of this search by replacing transaction with a more efficient function, like stats or streamstats? If so, could you share? Thanks!

0 Karma

SplunkTrust
SplunkTrust

Hi, can you be more specific? Is the search above working for you at all?
By looking at your query it seems you pretty much got what you were trying to achieve, apart from some typos and the OR missing in your filter:

host="server" EventCode=4688 OR EventCode=4699 
| transaction New_Process_Name startswith="EventCode=4688" endswith="EventCode=4689"
| where duration > 1
| search New_Process_Name="extend.exe" OR New_Process_Name="excel.exe"

Let me know if that works for you.

0 Karma

New Member

I double checked the field and it is named NewProcessName. When I take "time" out of the search, NewProcess_Name shows up in the display. This actually is what I want but I still need to display what time the application was launched. Can that be displayed as well?

Thanks,
Steve

0 Karma

SplunkTrust
SplunkTrust

Hi,

Can you copy and paste your query so that I can take a quick look?

Thanks,
J

0 Karma

New Member

Hello,

The first search using "table" does not show the NewProcessName in the display. It shows the time (2016-01-13T05:06:52.000-5:00) and usage in minutes (528). I am not sure I understand the time.

When I use "timechart" I receive the following error:
Error in 'timechart' command: The specifier 'UsageInMinutes' is invalid. It must be in form (). For example: max(size)

Thanks,
Steve

0 Karma

SplunkTrust
SplunkTrust

Is NewProcessName an actual field in your data? Simply run a quick search against your data (no filtering) to find that out. Keep in mind field names are CASE SENSITIVE

The timechart error is my fault as I forgot to include the max (or any other aggregation function). I've fixed this in the search below.

 yoursearch
 | eval Usage_In_Minutes = round(duration/60)
 | table _time, New_Process_Name, Usage_In_Minutes

 yoursearch
 | eval Usage_In_Minutes = round(duration/60)
 | timechart max(Usage_In_Minutes) as Usage_In_Minutes by New_Process_Name
0 Karma

New Member

Once again. Thanks for the quick response. I will not be a work for a couple of days but will give it a try when I return on Tuesday. Thanks again for all the help.

0 Karma

New Member

Thank you. Would you be able to assist in helping me display the numerical values (seconds, minutes, hours)? I tried working on that yesterday and was unsuccessful.

Thanks again for all your help.

0 Karma

New Member

Hi again, I have been working on this query for a couple days. To clarify, I am trying to write a query that tracks application launch time and duration. Rather than give you a sample of the query, like I did in my previous post, below is the exact query I am using and it does not give me the correct results. Any assistance would be helpful. Thanks.

host="WKSDC-0004" EventCode=4688 OR EventCode=4689 | transaction NewProcessID ProcessID ProcessName NewProcessName startswith="EventCode=4688" endswith="EventCode=4689" | search NewProcessName="C:\Program Files (x86)\ExtendSim9\ExtendSim.exe" OR NewProcessName="C:\GAMS\win64\24.0\gamside.exe" OR NewProcessName="Netica.exe" OR NewProcessName="C:\Programs Files (x86)\Vitech\CORE 8\core80.exe" | chart values(eval(duration/60)) as UsageInMinutes by NewProcessName

0 Karma

SplunkTrust
SplunkTrust

Hi,

In that case I wouldn't use a chart but a table to summarise your requirement. Alternatively a timechart might do the trick too.
Two options then:

yoursearch
| eval Usage_In_Minutes = round(duration/60)
| table _time, New_Process_Name, Usage_In_Minutes

yoursearch
| eval Usage_In_Minutes = round(duration/60)
| timechart Usage_In_Minutes by New_Process_Name

Let me know if that works for you.

0 Karma

New Member

Once again. Thanks for the quick response. I will not be a work for a couple of days but will give it a try when I return on Tuesday. Thanks again for all the help.

0 Karma

New Member

Thank you for the response. To be more specific, I can't seem to display the result correctly on the dashboard. I am trying to show each application on the x-axis and the duration in hours, minutes, seconds on the y-axis. Also, I would like display the time when application was launched. Would you mind pointing out which OR I am missing in my filter.

Thank you.

0 Karma

SplunkTrust
SplunkTrust

Hi, it's the second OR, the one in the last line.
If you don't do that you'll be searching for processes with both names.

With regards to your request:

host="server" EventCode=4688 OR EventCode=4699 
| transaction New_Process_Name startswith="EventCode=4688" endswith="EventCode=4689"
| where duration > 1
| search New_Process_Name="extend.exe" OR New_Process_Name="excel.exe"
| chart values(eval(duration/60)) as duration_minutes by New_Process_Name

Keep in mind duration is in seconds so in order to display that in a chart you need numerical values (seconds, minutes, hours).

Let me know if that helps

0 Karma