Solved: Every _time timestamp in a transaction as a multiv...

supersleepwalke · ‎08-16-2013

How do I get all the individual event times from a transaction and have them in a multivalue field as part of the transaction?

supersleepwalke · ‎08-16-2013

Easy way to do this is just assign _time to another variable before the transaction. In the following example, I've also used strftime to convert from epoch to human-readable format:

sourcetype=foo "your search here" | eval times=strftime(_time,"%F %H:%M:%S") | transaction bar

Now times will be a multivalue field that contains all the individual timestamps from each event!

View solution in original post

supersleepwalke · ‎08-16-2013

Easy way to do this is just assign _time to another variable before the transaction. In the following example, I've also used strftime to convert from epoch to human-readable format:

sourcetype=foo "your search here" | eval times=strftime(_time,"%F %H:%M:%S") | transaction bar

Now times will be a multivalue field that contains all the individual timestamps from each event!

Every _time timestamp in a transaction as a multivalue field

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

Every _time timestamp in a transaction as a multivalue field

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!