Splunk Enterprise

How to filldown a value within a transacted event?

manikanta461
Explorer

I've transacted 3 events into 1 event based on my requirement.
let's say transacted event as X; y1,y2,y3 are the events transacted to form a transacted event X.
y1 has 1 start time, and y2 and y3 have individual end times.
In the transacted event, I find only one value under start time and two values under end time.
I want to fill down my start time with X so that it is filled two times totally within the transaction. so that ill get duration(end time-start time)
Any idea on how to filldown the start time value within the transacted event?

Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

When you use the transaction command, it has always worked best to me to think of it as "erasing" your old events and creating new events that are groups of your old ones.

As such, I am not sure there's even logical meaning to "fill down a value within one transacted event." You do not have three events any longer, you have one. You have one "start" time, and two "end times." The old y1, y2 and y3 events no longer really exist, you simply have event X with those values.

But, that being said - how would you use such a filled-down start time? What exactly were you planning on doing to it/with it? Perhaps if we knew this we could make a better attempt at helping you!

Happy Splunking,
Rich

0 Karma

manikanta461
Explorer

I want to find out the duration between y2, y1 and y3,y1.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.