Getting Data In
Highlighted

Calculate duration between Windows EventCodes

Explorer

Hi,

I am new to Splunk, so if this is a stupid question - forgive me! 😉

I want to calculate the duration between two Windows EventCodes to determine how long server restarts take across the organisation.

The problem is that i don't have any unique field between the events to do the transaction on.

These are the two events:

SERVER SHUTDOWN INITIATED

11/24/10 11:47:12 AM LogName=System SourceName=EventLog EventCode=6006 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14339 Message=The Event log service was stopped.

SERVER RESTARTED AND ONLINE

11/24/10 11:49:38 AM LogName=System SourceName=EventLog EventCode=6005 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14341 Message=The Event log service was started.

I tried to do the transaction on the EventCode fields, this works to an extend but not 100% as it creates transaction across multiple servers. A workaround to this is to use the maxspan field. But sometimes the servers takes a long time to come online again making the use of maxspan difficult. I also tried using the RecordNumber field as the RecordNumber between normal shutdown and startups would be RecordNumber for shutdowns and RecordNumber+2 for startups.

Any ideas?

Tags (1)
0 Karma
Highlighted

Re: Calculate duration between Windows EventCodes

Influencer

You can create a "transaction" on the host field and by specifying a starts-with and ends-with condition, you should get the desired results:

sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) 
| transaction host startswith="EventCode=6006" endswith="EventCode=6005" 
| eval restart_duration=tostring(duration,"duration") 
| table _time host restart_duration

View solution in original post

Highlighted

Re: Calculate duration between Windows EventCodes

Explorer

Thx a million! Exactly what i needed!

0 Karma
Highlighted

Re: Calculate duration between Windows EventCodes

Explorer

Just one more question - why would the restart duration be displayed like this for some hosts? 378+14:52:21

0 Karma
Highlighted

Re: Calculate duration between Windows EventCodes

Influencer

Seems like 378 days... You can take a look at those found transactions by removing the eval and the table command and looking at long durations by appending | where duration>86400. It probably because of missing events or incorrectly parsed timestamps or something like that. Please accept the answer, if it was helpful.

0 Karma