Archive
Highlighted

I am trying to write a query that displays how long an application has been running? So far I have the following string.

New Member

host="server" EventCode=4688 OR EventCode=469 | transaction NewProcessName startswith=(EventCode=4688) endswith=(EventCode=4689) | where duration > 1 | search NewProcessName="extend.exe" NewProcessName="excel.exe"

Tags (1)
0 Karma
Highlighted

Re: I am trying to write a query that displays how long an application has been running? So far I have the following string.

SplunkTrust
SplunkTrust

Hi, can you be more specific? Is the search above working for you at all?
By looking at your query it seems you pretty much got what you were trying to achieve, apart from some typos and the OR missing in your filter:

host="server" EventCode=4688 OR EventCode=4699 
| transaction New_Process_Name startswith="EventCode=4688" endswith="EventCode=4689"
| where duration > 1
| search New_Process_Name="extend.exe" OR New_Process_Name="excel.exe"

Let me know if that works for you.

0 Karma
Highlighted

Re: I am trying to write a query that displays how long an application has been running? So far I have the following string.

New Member

Thank you for the response. To be more specific, I can't seem to display the result correctly on the dashboard. I am trying to show each application on the x-axis and the duration in hours, minutes, seconds on the y-axis. Also, I would like display the time when application was launched. Would you mind pointing out which OR I am missing in my filter.

Thank you.

0 Karma
Highlighted

Re: I am trying to write a query that displays how long an application has been running? So far I have the following string.

SplunkTrust
SplunkTrust

Hi, it's the second OR, the one in the last line.
If you don't do that you'll be searching for processes with both names.

With regards to your request:

host="server" EventCode=4688 OR EventCode=4699 
| transaction New_Process_Name startswith="EventCode=4688" endswith="EventCode=4689"
| where duration > 1
| search New_Process_Name="extend.exe" OR New_Process_Name="excel.exe"
| chart values(eval(duration/60)) as duration_minutes by New_Process_Name

Keep in mind duration is in seconds so in order to display that in a chart you need numerical values (seconds, minutes, hours).

Let me know if that helps

0 Karma
Highlighted

Re: I am trying to write a query that displays how long an application has been running? So far I have the following string.

New Member

Thank you. Would you be able to assist in helping me display the numerical values (seconds, minutes, hours)? I tried working on that yesterday and was unsuccessful.

Thanks again for all your help.

0 Karma
Highlighted

Re: I am trying to write a query that displays how long an application has been running? So far I have the following string.

New Member

Hi again, I have been working on this query for a couple days. To clarify, I am trying to write a query that tracks application launch time and duration. Rather than give you a sample of the query, like I did in my previous post, below is the exact query I am using and it does not give me the correct results. Any assistance would be helpful. Thanks.

host="WKSDC-0004" EventCode=4688 OR EventCode=4689 | transaction NewProcessID ProcessID ProcessName NewProcessName startswith="EventCode=4688" endswith="EventCode=4689" | search NewProcessName="C:\Program Files (x86)\ExtendSim9\ExtendSim.exe" OR NewProcessName="C:\GAMS\win64\24.0\gamside.exe" OR NewProcessName="Netica.exe" OR NewProcessName="C:\Programs Files (x86)\Vitech\CORE 8\core80.exe" | chart values(eval(duration/60)) as UsageInMinutes by NewProcessName

0 Karma
Highlighted

Re: I am trying to write a query that displays how long an application has been running? So far I have the following string.

SplunkTrust
SplunkTrust

Hi,

In that case I wouldn't use a chart but a table to summarise your requirement. Alternatively a timechart might do the trick too.
Two options then:

yoursearch
| eval Usage_In_Minutes = round(duration/60)
| table _time, New_Process_Name, Usage_In_Minutes

yoursearch
| eval Usage_In_Minutes = round(duration/60)
| timechart Usage_In_Minutes by New_Process_Name

Let me know if that works for you.

0 Karma
Highlighted

Re: I am trying to write a query that displays how long an application has been running? So far I have the following string.

New Member

Once again. Thanks for the quick response. I will not be a work for a couple of days but will give it a try when I return on Tuesday. Thanks again for all the help.

0 Karma
Highlighted

Re: I am trying to write a query that displays how long an application has been running? So far I have the following string.

New Member

Once again. Thanks for the quick response. I will not be a work for a couple of days but will give it a try when I return on Tuesday. Thanks again for all the help.

0 Karma
Highlighted

Re: I am trying to write a query that displays how long an application has been running? So far I have the following string.

New Member

Hello,

The first search using "table" does not show the NewProcessName in the display. It shows the time (2016-01-13T05:06:52.000-5:00) and usage in minutes (528). I am not sure I understand the time.

When I use "timechart" I receive the following error:
Error in 'timechart' command: The specifier 'UsageInMinutes' is invalid. It must be in form (). For example: max(size)

Thanks,
Steve

0 Karma