Solved: Transaction start and finish times

Ant1D · ‎07-17-2012

Hey,

I have a question about the transaction search command.

If I am using a transaction on an event that has two timestamps in it, how can I access/use both of the timestamps after the transaction is done for start and finish times?

Here's an example of one event that has two timestamps in it.
1342541754952 environment="prodemea" event_type="JobStarting" component="Job Controller" job_id="cf430a0b-bfcd-4765-891d-253da3607135" 1342541758729 environment="prodemea" event_type="JobCompleted" component="Job Controller" job_id="cf430a0b-bfcd-4765-891d-253da3607135"

Here's the search that I am doing:
index=prod (event_type="jobStarting" OR event_type="JobCompleted") | transaction job_id | table _time duration job_id

The result of the search gives me the start time (_time), the duration of the transaction and the job_id. How can I also get the finish time? (which in this case would be 1342541758729)

Thanks in advance for your help.

Ayn · ‎07-17-2012

_time is an epoch value, so to get the end time you can just add duration to the transaction event's timestamp.

... | eval starttime=_time | eval endtime=_time+duration

View solution in original post

Ayn · ‎07-17-2012

_time is an epoch value, so to get the end time you can just add duration to the transaction event's timestamp.

... | eval starttime=_time | eval endtime=_time+duration

Ant1D · ‎07-18-2012

seems to do the trick. wasn't sure at first that this would work because the duration values didn't seem to be in a format that could be added to the start time. Thanks.

Transaction start and finish times

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!