Re: Conditional Transaction Search

Wiggy · ‎04-15-2013

Say I have two different logs, source=a.txt and source=b.txt and their format is as follows:

Source=a.txt

09-Apr-2013 00:28:01.204 -06:00 [5492] VVLT-I-0177 Copyright 2012 EVault Inc.
09-Apr-2013 00:28:01.204 -06:00 [5492] VVLT-I-0001 Process: 19500, thread = 5492
09-Apr-2013 05:32:23.857 -06:00 [4152] VVLT-I-0033 elapsed time 05:04:22

Source=b.txt

09-Apr-2013 00:18:01.204 -06:00 [5492] VVLT-I-0177 Copyright 2012 EVault Inc.
09-Apr-2013 00:18:01.204 -06:00 [5492] VVLT-I-0001 Process: 19500, thread = 5493
09-Apr-2013 05:22:23.857 -06:00 [4152] VVLT-I-0033 elapsed time 05:04:22

For that day, is there a way to present the data by 10 minute intervals to show if the process was still running or not? I have attempted to use the transaction command to help in outputting the result, but am not sure if this is the right path to take. An output example would be:

Time | a.txt | b.txt
00:00 | 0 | 0 
00:10 | 0 | 1
00:20 | 1 | 1
00:30 | 1 | 1
.
.
.
05:20 | 1 | 1
05:30 | 1 | 0
05:40 | 1 | 0

Ayn · ‎04-15-2013

Not sure if you really need transaction for this. Wouldn't it be enough to just run timechart and look at whether the count of events for each timeslice is zero or not?

source="a.txt" OR source="b.txt" | timechart span=10m count by source

Conditional Transaction Search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!