Time difference for the transaction - Splunk Community

Splunk Search

I want to find the time difference between the transactions,display as a chart

My data will look like this

Mon Sep 24 11:00:30 CDT 2012,xxx,START

Mon Sep 24 11:00:31 CDT 2012,xxx,COMPLETION: Succeeded

so what i need is (11:00:30-11:00:31) is 01 seconds

Plz Help

I used the search command as
source="task"|transaction task_action startswith=START endswith=Succeeded|Table_time task_action duration

90% of the result is coming correct ..
but for some case the result is not an exact difference

Have a look at the duration field which is created by the transaction command, it should be precisely what you need.

You might check that your time extractions are correct. If Splunk's interpretation of each event's time is incorrect, that could lead to the duration field being incorrect.

Well, you need to check what is causing this problem - the functionality is there, so...

I used the duration also but since i got wrong results for some cases

Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars Sometimes, you just need to see the code. For those looking for a ...