Extract results from , seperated values - Splunk Community

Splunk Search

I want to calculate the timedifference between the start and the Completion of the task which are in different lines..and also i want to create the chart for time taken for each task to complete

My logs will look like this,

Mon Sep 24 00:00:30 CDT 2012,xxx,Start

Mon Sep 24 00:00:30 CDT 2012,rrr,START

Mon Sep 24 00:00:30 CDT 2012,ttt,Stage 1 of 4 : Assign

Mon Sep 24 00:00:30 CDT 2012,rrr,COMPLETION:Succeeded

Mon Sep 24 00:00:30 CDT 2012,ttt,Stage 2 of 4 : If

Mon Sep 24 00:00:30 CDT 2012,xxx,COMPLETION : Succeeded

i want to create the chart ,having the timedifference between the start ant succeeded of XXX ..

Please help

Transaction will help in this case. Check out the following search.

Notes: YOURSOURCETYPE = what ever you use to find those logs. action is the field name with XXX, rrr, ttt, etc.

sourcetype=YOURSOURCETYPE | transaction action startswith=START endswith=COMPLETION | timechart avg(duration) by action

Transaction reference: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

If this doesn't work for you please let me know instead of down voting.

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...