- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
I have a question about the transaction search command.
If I am using a transaction on an event that has two timestamps in it, how can I access/use both of the timestamps after the transaction is done for start and finish times?
Here's an example of one event that has two timestamps in it.
1342541754952 environment="prodemea" event_type="JobStarting" component="Job Controller" job_id="cf430a0b-bfcd-4765-891d-253da3607135"
1342541758729 environment="prodemea" event_type="JobCompleted" component="Job Controller" job_id="cf430a0b-bfcd-4765-891d-253da3607135"
Here's the search that I am doing:
index=prod (event_type="jobStarting" OR event_type="JobCompleted") | transaction job_id | table _time duration job_id
The result of the search gives me the start time (_time), the duration of the transaction and the job_id. How can I also get the finish time? (which in this case would be 1342541758729)
Thanks in advance for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_time is an epoch value, so to get the end time you can just add duration to the transaction event's timestamp.
... | eval starttime=_time | eval endtime=_time+duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_time is an epoch value, so to get the end time you can just add duration to the transaction event's timestamp.
... | eval starttime=_time | eval endtime=_time+duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seems to do the trick. wasn't sure at first that this would work because the duration values didn't seem to be in a format that could be added to the start time. Thanks.
