Splunk Search

Table for Daily Event Start/Finish Time

bcarr12
Path Finder

I am trying to create a table that shows what time two particular events occur daily (one term signifies start, another signifies end). Start time and end time can be found by searching for two distinct terms which only occur once daily in the same log. For instance:

Start Time text occurs at 9:25pm
End Time text occurs at 9:35pm

I would like to create a table for what time Start Time text occurs, what time End Time text occurs, and preferable the time difference between the two. I have tried a few things with appendcols to run a subsearch but am not having much luck. I'm guessing I need to use eval to set each search term as a field, or define them both as a single transaction and work with it from there? Any tips to steer me in the right direction would be appreciated.

I have been able to get as far as generating a table that shows that each term shows up once per day using the following search, but I would like to have one "line" for each day of the week that shows what time Term X occurred at, and what time Term Y occurred at - so this is still not quite right:

"Start Time Text" OR "End Time Text" source="logfile.log" | eval start_event=if(searchmatch("Start Time Text"),1,0) | eval end_event=if(searchmatch("End Time Text"),1,0) | table date_wday, start_event, end_event

Tags (3)
0 Karma

Ayn
Legend

I might be misinterpretating your question, but since you know that you're getting exactly two events each day and you also know that the first one is the start event and the second one it the end event, couldn't you do something like this?

"Start Time text" OR "End Time text" | timechart span=1d earliest(_time) as StartTime, latest(_time) as EndTime | eval TimeDiff = EndTime-StartTime

EDIT: Removed a by clause that shouldn't have been in the search.

bcarr12
Path Finder

Thankss again! I am almost there...I currently have the search configured this way:
"Start Time Text" OR "End Time Text" source="logfile.log" | eval time=strftime(_time,"%r") | timechart span=1d earliest(time) as start_time, latest(time) as end_time | eval Weekday=strftime(_time,"%A %n %m/%d") | table Weekday,start_time,end_time

The strange thing is that when I use the eval command to convert _time as I did above I get two unique time values for start and end. If I don't and leave _time as is, I get identical values for both (which is why the difference isn't being calculated). Any ideas?

Ayn
Legend

You can make the time fields human readable by using convert ctime(StartTime) ctime(EndTime) at the end. As to the TimeDiff being 0, well that implies that you have the same _time value for StartTime and EndTime.

And yes, if you don't want the midnight time you can reformat that, or you can switch from timechart span=1d to stats ... by date_mday. Beware though that if you go that route you need to keep track of different months if you search over a timerange that spans over multiple months.

0 Karma

bcarr12
Path Finder

I think this is on the right path, but the chart that gets created by running this search gives time value of midnight for each day (I can probably update this to just show weekday/date instead), but StartTime and EndTime values look like this: "1357534800" and TimeDiff is 0.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...