Getting Data In

Calculate duration between Windows EventCodes

Explorer

Hi,

I am new to Splunk, so if this is a stupid question - forgive me! 😉

I want to calculate the duration between two Windows EventCodes to determine how long server restarts take across the organisation.

The problem is that i don't have any unique field between the events to do the transaction on.

These are the two events:

SERVER SHUTDOWN INITIATED

11/24/10 11:47:12 AM LogName=System SourceName=EventLog EventCode=6006 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14339 Message=The Event log service was stopped.

SERVER RESTARTED AND ONLINE

11/24/10 11:49:38 AM LogName=System SourceName=EventLog EventCode=6005 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14341 Message=The Event log service was started.

I tried to do the transaction on the EventCode fields, this works to an extend but not 100% as it creates transaction across multiple servers. A workaround to this is to use the maxspan field. But sometimes the servers takes a long time to come online again making the use of maxspan difficult. I also tried using the RecordNumber field as the RecordNumber between normal shutdown and startups would be RecordNumber for shutdowns and RecordNumber+2 for startups.

Any ideas?

Tags (1)
0 Karma
1 Solution

Influencer

You can create a "transaction" on the host field and by specifying a starts-with and ends-with condition, you should get the desired results:

sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) 
| transaction host startswith="EventCode=6006" endswith="EventCode=6005" 
| eval restart_duration=tostring(duration,"duration") 
| table _time host restart_duration

View solution in original post

Influencer

You can create a "transaction" on the host field and by specifying a starts-with and ends-with condition, you should get the desired results:

sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) 
| transaction host startswith="EventCode=6006" endswith="EventCode=6005" 
| eval restart_duration=tostring(duration,"duration") 
| table _time host restart_duration

View solution in original post

Influencer

Seems like 378 days... You can take a look at those found transactions by removing the eval and the table command and looking at long durations by appending | where duration>86400. It probably because of missing events or incorrectly parsed timestamps or something like that. Please accept the answer, if it was helpful.

0 Karma

Explorer

Just one more question - why would the restart duration be displayed like this for some hosts? 378+14:52:21

0 Karma

Explorer

Thx a million! Exactly what i needed!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!