Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transaction start and finish times

Ant1D
Motivator
‎07-17-2012 10:35 AM

Hey,

I have a question about the transaction search command.

If I am using a transaction on an event that has two timestamps in it, how can I access/use both of the timestamps after the transaction is done for start and finish times?

Here's an example of one event that has two timestamps in it.

1342541754952 environment="prodemea" event_type="JobStarting" component="Job Controller" job_id="cf430a0b-bfcd-4765-891d-253da3607135"
1342541758729 environment="prodemea" event_type="JobCompleted" component="Job Controller" job_id="cf430a0b-bfcd-4765-891d-253da3607135"

Here's the search that I am doing:
index=prod (event_type="jobStarting" OR event_type="JobCompleted") | transaction job_id | table _time duration job_id

The result of the search gives me the start time (_time), the duration of the transaction and the job_id. How can I also get the finish time? (which in this case would be 1342541758729)

Thanks in advance for your help.

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-17-2012 10:41 AM

_time is an epoch value, so to get the end time you can just add duration to the transaction event's timestamp.

... | eval starttime=_time | eval endtime=_time+duration

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-17-2012 10:41 AM

_time is an epoch value, so to get the end time you can just add duration to the transaction event's timestamp.

... | eval starttime=_time | eval endtime=_time+duration
Reply
Solved! Jump to solution

Ant1D
Motivator
‎07-18-2012 03:32 AM

seems to do the trick. wasn't sure at first that this would work because the duration values didn't seem to be in a format that could be added to the start time. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...