Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display time stamp in each line on transaction ?

hemanath_ofc
Explorer
‎10-31-2014 08:20 AM

1

0/21/14 13:17:08.747 SERIAL ZPIMXTerminal.Send Start
10/21/14 13:17:08.747 SERIAL SerialComClass:****NOTICE: Serial Port cleared OK
10/21/14 13:17:08.809 SERIAL GetAckNak Sent: [00]
10/21/14 13:17:08.840 WLL-EX CCTX_POS_GET_TenderTypeStatus = 0

10/21/14 13:17:08.919 SERIAL SerialComClass:****NOTICE: Serial Port cleared OK
10/21/14 13:17:08.919 SERIAL Send Msg() >
10/21/14 13:17:08.981 SERIAL GetAckNak Recv: [00]

10/21/14 13:17:09.090 WLL-EX CCTX_OS_GET_TypeStatus = 0

10/21/14 13:17:09.090 SERIAL SerialComClass:**NOTICE: Serial Port cleared OK
10/21/14 13:17:09.153 SERIAL GetAckNak Recv: [00]
10/21/14 13:17:09.262 SERIAL SerialComClass:**NOTICE: Serial Port cleared OK
10/21/14 13:17:08.747 SERIAL ZPIMXTerminal.Send Start

in above log.. i formed a transaction using "transaction startswith="ZPIMXTerminal.Send Start" endswith="ZPIMXTerminal.Send Start"

i wanted to display time stamp in below 2 two lines 

10/21/14 13:17:08.809 SERIAL GetAckNak Sent: [00]
10/21/14 13:17:09.153 SERIAL GetAckNak Recv: [00]

if I specify _time its giving me only the start time of the transaction

0 Karma
Reply

aholzer
Motivator
‎10-31-2014 08:42 AM

I'd suggest capturing the times you are interested in before the transaction into a different field. Like so:

<base search> | eval ack_sent_time = if(like(_raw,"%GetAckNak Sent%"),_time,nullif(1,1)) | eval ack_recv_time = if(like(_raw,"%GetAckNak Recv%"),_time,nullif(1,1)) | transaction ...

This will store the _time in a field called ack_sent_time only if the event contains "GetAckNak Sent", and will store the _time in a field called ack_recv_time only if the event contains "GetAckNak Recv". Otherwise these fields will be NULL.

This will allow you to do things like:

... | stats latest(ack_sent_time) earliest(ack_recv_time) by <field>

To get the last sent time, and the first recieved time.

Hope this helps.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...