How to pull end time instead of start time from my...

tondapi · ‎08-23-2015

Hi,

The search below is retrieving start time (due to transaction), but I need to pull end time and I don't know the exact command. Please help me to pull end date instead of start time.

index=os  sourcetype="syslog d"  (job_name =WHK9225 )  | transaction job_name job_number

aljohnson_splun · ‎08-23-2015

Hi @Tondapi,

Given a search like:

index=os sourcetype="syslog d" (job_name =WHK9225 ) 
| transaction job_name job_number

You can get the end time by utilizing the duration field that gets creating via the transaction command. However, duration gives you back a number of seconds. So I personally would add the duration count to the _time field and use the eval command's function stftime() to format it to something all nice and human.

So you could add this to your search:

eval end_time = strftime(duration + _time, "%F %T")

where %F and %T are whatever time format variables you want to use.

How to pull end time instead of start time from my transaction search?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases