Hi Guys,

Anyone can help with the syntax provided by Somesoni2?
I need to set a rule, to identify the Start or Stop if the device is not sending any data for more than 30secs.

I'm kinda desperate here now .... Please help
source="gps_Testing.csv" sourcetype="csv" | sort 0 _time | table _time Time ID Lat Long Heading Speed | eval Time=_time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(_time) as prevtime by ID | eval diff=time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval Start_Time=strftime(prevtime,"%H:%M") | eval End_Time=strftime(time,"%H:%M") | rename prev* as Start* Lat as End_Lat Long as End_Long diff as Outage_Duration | table Date ID Start* End* Outage_Duration

Hey Guys,

@somesoni2, provided this '
source="gps_Testing.csv" sourcetype="csv" | sort 0 time | table _time Time ID Lat Long Heading Speed | eval Time=_time | streamstats current=f window=1 values(Lat) as prevLat values(Long) as prevLong values(_time) as prevtime by ID | eval diff=_time-prevtime | where diff!=0 | table ID prevtime prevLat prevLong _time Lat Long diff | eval Date=strftime(prevtime,"%Y-%m-%d") | eval Start_Time=strftime(prevtime,"%H:%M") | eval End_Time=strftime(_time,"%H:%M") | rename prev* as Start* Lat as End_Lat Long as End_Long diff as Outage_Duration | table Date ID Start_* End_* Outage_Duration '

Which work fine, showing everything i needed but every single line is group within 1 mins, which is off as most of the duration is more than 1 mins. I can't seem to find the command that establish the rules to group the Start and Stop that ;
If the device stop transmitting for more than 30s, consider that as a Stop and the Next Incoming will be a New
Start

Can anyone help to improve this? appreciate a lot guys

Thanks woodcock and somesoni2

@Woodcock, sorry for not mentioning about the Host but the latest string doesnt help and return the same error
@Somesoni2, thanks but that don't return any results.

Let me try to delete and upload the file again. Would you guys like the original file? I can email to both.

Many thanks

I've replied to your email. Please check and let me know if that works.

thanks. I've replied to your email, not too sure if u receive it.
I think there is a problem with my timestamp, i tried a few format but it doesnt work.
What/how did you transform your timestamp at the "timestamp format" ?

You do not transform the timestamp, you describe it. If what you describe matches what is in the data, then it works.

i can't post a printscreen here to show it. Is there anyway i can show it to you so u can help me with the timestamp ?
The original file timestamp is showed as " dd/mm/yy hh:ss " within a single cell, i can't get splunk to recognize it.
What the right way to describe it?

Type in the results of this search:

Your base search | head 1 | table _time _raw