Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display time stamp in each line on transaction ?

hemanath_ofc
Explorer
‎10-31-2014 08:20 AM

1

0/21/14 13:17:08.747 SERIAL ZPIMXTerminal.Send Start
10/21/14 13:17:08.747 SERIAL SerialComClass:****NOTICE: Serial Port cleared OK
10/21/14 13:17:08.809 SERIAL GetAckNak Sent: [00]
10/21/14 13:17:08.840 WLL-EX CCTX_POS_GET_TenderTypeStatus = 0

10/21/14 13:17:08.919 SERIAL SerialComClass:****NOTICE: Serial Port cleared OK
10/21/14 13:17:08.919 SERIAL Send Msg() >
10/21/14 13:17:08.981 SERIAL GetAckNak Recv: [00]

10/21/14 13:17:09.090 WLL-EX CCTX_OS_GET_TypeStatus = 0

10/21/14 13:17:09.090 SERIAL SerialComClass:**NOTICE: Serial Port cleared OK
10/21/14 13:17:09.153 SERIAL GetAckNak Recv: [00]
10/21/14 13:17:09.262 SERIAL SerialComClass:**NOTICE: Serial Port cleared OK
10/21/14 13:17:08.747 SERIAL ZPIMXTerminal.Send Start

in above log.. i formed a transaction using "transaction startswith="ZPIMXTerminal.Send Start" endswith="ZPIMXTerminal.Send Start"

i wanted to display time stamp in below 2 two lines 

10/21/14 13:17:08.809 SERIAL GetAckNak Sent: [00]
10/21/14 13:17:09.153 SERIAL GetAckNak Recv: [00]

if I specify _time its giving me only the start time of the transaction

0 Karma
Reply

aholzer
Motivator
‎10-31-2014 08:42 AM

I'd suggest capturing the times you are interested in before the transaction into a different field. Like so:

<base search> | eval ack_sent_time = if(like(_raw,"%GetAckNak Sent%"),_time,nullif(1,1)) | eval ack_recv_time = if(like(_raw,"%GetAckNak Recv%"),_time,nullif(1,1)) | transaction ...

This will store the _time in a field called ack_sent_time only if the event contains "GetAckNak Sent", and will store the _time in a field called ack_recv_time only if the event contains "GetAckNak Recv". Otherwise these fields will be NULL.

This will allow you to do things like:

... | stats latest(ack_sent_time) earliest(ack_recv_time) by <field>

To get the last sent time, and the first recieved time.

Hope this helps.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...