Solved: Re: events between a specific time

smolcj · ‎12-03-2012

hi all,
how can i query , so that i could be able to get events between a specific time.t the time willbe dynamic so that i cant use earliest or latest time options
please help
thank you

dart · ‎12-05-2012

I'd try source=src.txt | transaction startswith="START" endswith="END"

View solution in original post

dart · ‎12-05-2012

I'd try source=src.txt | transaction startswith="START" endswith="END"

Drainy · ‎12-06-2012

Also, why are you posting on here under multiple usernames? You'd have more karma if you just kept to a single user

Drainy · ‎12-06-2012

Not quite, if you ever say things like, "certain number" or "my query" then it should set alarm bells ringing, those should be a number or a query. Without the detail there is nothing anyone can do but ask you a question instead of offering an answer, which defeats the point of you asking something to begin with 🙂

smolcj · ‎12-06-2012

sorry i was trying with maxspan=the number of events i nedd, it has to be exactly the events in the returned search result. maxevents=8000 worked well.
thank you
drainy,
I think if people didnt understand the comment/question they can ask it, that is the need of an interactive forum , i felt my question was quite ok to understand, and i am sorry for my bad english. will try to improve.
thank you

Drainy · ‎12-06-2012

What is this mysterious "certain number" of events? You really need to think how others will read or understand your questions or comments before posting them, they need to actually advance our understanding of the problem in order to help 😉 Have a read of the transaction docs, there are a number of limits which the command can hit while running, you may just need to override them with more suitable values. http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction

smolcj · ‎12-05-2012

this works well for certain number of events, if the number of events is more, i am getting the output as
"Nothing to inspect "

kristian_kolb · ‎12-04-2012

Some actual data would be beneficial, but transaction can come a long way in getting this sorted out. There are several types of constraints to limit the 'greediness'.

smolcj · ‎12-04-2012

the values are occuring multiple times i.e
i need the duration between start and end but i will have 3 or 4 pairs of the same repeated in the log.

Ayn · ‎12-04-2012

Is there a specific reason for not using transaction for this?

Also what do the times have to do with this? The way I see it you just want to fetch everything between an event containing "START" and an event containing "END"?

smolcj · ‎12-04-2012

source=src.txt START | append [search index=main source=src.txt | search END]
this is my search query and i will get start and end events but not the events between thenm. i tried appending |search _time>=earliest(_time) _time<=latest(_time)
please help me with a good search
thank you

Drainy · ‎12-04-2012

We'd need more detail than this, do you have a search already? where will the time be coming from? will this be in a dashboard/form?

events between a specific time

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life