Splunk Search

Duration by messageid and in seconds

Path Finder

In a earlier question I asked a question about an eval, this was luckily solved by Mus. Now I wonder how i can present the results in one line per ID
This is my search:

<my search>  
| eval Start=if('message.information'=="Start",_time,null()) 
| eval End =if('message.information'=="End",_time,null()) |eval dur= Start-End

What I am searching for is how to get one line per ID , this is unique for all the events I want the duration for.

Tags (1)
0 Karma


@Mike6960 ,


your search |stats latest(eval(if('message.information'=="Start",_time,null()))) as Start, latest(eval(if('message.information'=="End",_time,null()))) as End by ID |eval dur=Start-End

You may use first as well instead of latest

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!