I am new to Splunk, so if this is a stupid question - forgive me! 😉
I want to calculate the duration between two Windows EventCodes to determine how long server restarts take across the organisation.
The problem is that i don't have any unique field between the events to do the transaction on.
These are the two events:
11/24/10 11:47:12 AM LogName=System SourceName=EventLog EventCode=6006 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14339 Message=The Event log service was stopped.
11/24/10 11:49:38 AM LogName=System SourceName=EventLog EventCode=6005 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14341 Message=The Event log service was started.
I tried to do the transaction on the EventCode fields, this works to an extend but not 100% as it creates transaction across multiple servers. A workaround to this is to use the maxspan field. But sometimes the servers takes a long time to come online again making the use of maxspan difficult. I also tried using the RecordNumber field as the RecordNumber between normal shutdown and startups would be RecordNumber for shutdowns and RecordNumber+2 for startups.
You can create a "transaction" on the host field and by specifying a starts-with and ends-with condition, you should get the desired results:
sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) | transaction host startswith="EventCode=6006" endswith="EventCode=6005" | eval restart_duration=tostring(duration,"duration") | table _time host restart_duration
Seems like 378 days... You can take a look at those found transactions by removing the eval and the table command and looking at long durations by appending | where duration>86400. It probably because of missing events or incorrectly parsed timestamps or something like that. Please accept the answer, if it was helpful.