Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Conditional Transaction Search

Wiggy
Splunk Employee
Splunk Employee
‎04-15-2013 11:56 AM

Say I have two different logs, source=a.txt and source=b.txt and their format is as follows:

Source=a.txt

09-Apr-2013 00:28:01.204 -06:00 [5492] VVLT-I-0177 Copyright 2012 EVault Inc.
09-Apr-2013 00:28:01.204 -06:00 [5492] VVLT-I-0001 Process: 19500, thread = 5492
09-Apr-2013 05:32:23.857 -06:00 [4152] VVLT-I-0033 elapsed time 05:04:22

Source=b.txt

09-Apr-2013 00:18:01.204 -06:00 [5492] VVLT-I-0177 Copyright 2012 EVault Inc.
09-Apr-2013 00:18:01.204 -06:00 [5492] VVLT-I-0001 Process: 19500, thread = 5493
09-Apr-2013 05:22:23.857 -06:00 [4152] VVLT-I-0033 elapsed time 05:04:22

For that day, is there a way to present the data by 10 minute intervals to show if the process was still running or not? I have attempted to use the transaction command to help in outputting the result, but am not sure if this is the right path to take. An output example would be:

Time | a.txt | b.txt
00:00 | 0 | 0 
00:10 | 0 | 1
00:20 | 1 | 1
00:30 | 1 | 1
.
.
.
05:20 | 1 | 1
05:30 | 1 | 0
05:40 | 1 | 0
0 Karma
Reply

Ayn
Legend
‎04-15-2013 11:59 AM

Not sure if you really need transaction for this. Wouldn't it be enough to just run timechart and look at whether the count of events for each timeslice is zero or not?

source="a.txt" OR source="b.txt" | timechart span=10m count by source
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...