Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract timings from chained events using start and end times

pbunce1
Explorer
‎09-20-2012 07:15 AM

We have the following events (dots represent other events for clarity) and would like to extract on a per process basis the duration of how long each took (using the start and end time of each process that has been logged and loaded as events)

What would be the best approach to do this, do I need to use txns and specify startwith and endswith and how would I then pull in all process times assuming there will be multiple as per below example (as in what type of syntax to use for this search) - not too worried about result format for now, would just like to understand preferred approach to use for this - many thanks!!!

Sample Events:

11:51:10 - ‘Process 1 Start’

11:52:11 – ‘Process 1 Finish’

11:53:12 – ‘Process 2 Start’

11:54:15 – ‘Process 2 Finish’

….

hence would like to extract:

Process 1 Duration: 61 secs

Process 2 Duration: 63 secs

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-20-2012 01:23 PM

Two ways as I see it (assuming that you have the Process ID extracted into a field called process_id😞

either transaction, where the duration is automatically calculated;

... | transaction process_id | ...

or use stats, which should be more efficient;

... | stats min(_time) AS min_time max(_time) AS max_time by process_id | eval duration = max_time - min_time | ...

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-20-2012 01:23 PM

Two ways as I see it (assuming that you have the Process ID extracted into a field called process_id😞

either transaction, where the duration is automatically calculated;

... | transaction process_id | ...

or use stats, which should be more efficient;

... | stats min(_time) AS min_time max(_time) AS max_time by process_id | eval duration = max_time - min_time | ...

Hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...