Time difference for the transaction - Splunk Community

Splunk Search

I want to find the time difference between the transactions,display as a chart

My data will look like this

Mon Sep 24 11:00:30 CDT 2012,xxx,START

Mon Sep 24 11:00:31 CDT 2012,xxx,COMPLETION: Succeeded

so what i need is (11:00:30-11:00:31) is 01 seconds

Plz Help

I used the search command as
source="task"|transaction task_action startswith=START endswith=Succeeded|Table_time task_action duration

90% of the result is coming correct ..
but for some case the result is not an exact difference

Have a look at the duration field which is created by the transaction command, it should be precisely what you need.

You might check that your time extractions are correct. If Splunk's interpretation of each event's time is incorrect, that could lead to the duration field being incorrect.

Well, you need to check what is causing this problem - the functionality is there, so...

I used the duration also but since i got wrong results for some cases

Get Updates on the Splunk Community!

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...