Splunk Search

Start/End time Displaying Same time

_gkollias
Builder

I have a search where I'd like to show the duration of the order.

My search below almost gives me that, but the start_time and end_time are showing as the same, giving duration a value of 0.000

Here is my search:

index=cg sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="*Task" svc_context_name="$svc_context_name$" | stats min(_time) as start_time, max(_time) as end_time, earliest(status) as start_status, latest(status) as exit_status, first(other) as exit_message, last(total) as total by svc_context_name, _time |eval duration = (end_time-start_time) |convert ctime(start_time) |convert ctime(end_time) |search exit_status="SUCCESS" |table svc_context_name, start_time, end_time, start_status, exit_status, exit_message, duration

I've also tried doing ...|stats earliest(time) as start_time, latest(time) as end_time, etc...| But I get the same results.

Is there a way to modify this search to get more accurate start/end time values?

Thanks!

Tags (1)
0 Karma

wpreston
Motivator

See my updated answer on your other question here. Does this help?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...