Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract timings from chained events using start and end times

pbunce1
Explorer
‎09-20-2012 07:15 AM

We have the following events (dots represent other events for clarity) and would like to extract on a per process basis the duration of how long each took (using the start and end time of each process that has been logged and loaded as events)

What would be the best approach to do this, do I need to use txns and specify startwith and endswith and how would I then pull in all process times assuming there will be multiple as per below example (as in what type of syntax to use for this search) - not too worried about result format for now, would just like to understand preferred approach to use for this - many thanks!!!

Sample Events:

11:51:10 - ‘Process 1 Start’

11:52:11 – ‘Process 1 Finish’

11:53:12 – ‘Process 2 Start’

11:54:15 – ‘Process 2 Finish’

….

hence would like to extract:

Process 1 Duration: 61 secs

Process 2 Duration: 63 secs

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-20-2012 01:23 PM

Two ways as I see it (assuming that you have the Process ID extracted into a field called process_id😞

either transaction, where the duration is automatically calculated;

... | transaction process_id | ...

or use stats, which should be more efficient;

... | stats min(_time) AS min_time max(_time) AS max_time by process_id | eval duration = max_time - min_time | ...

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-20-2012 01:23 PM

Two ways as I see it (assuming that you have the Process ID extracted into a field called process_id😞

either transaction, where the duration is automatically calculated;

... | transaction process_id | ...

or use stats, which should be more efficient;

... | stats min(_time) AS min_time max(_time) AS max_time by process_id | eval duration = max_time - min_time | ...

Hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...