Time difference within a transaction command

tbrown · ‎06-09-2020

I have a search that uses the transaction:

| transaction startswith=<...> endswith=<...>

Command to group it into certain events I want to see. How would I search this even further to get the time difference between each event in this transaction and then graph these time differences to a line/bar graph with the events/hosts on X-axis and time on y-axis. There are no specific fields for each event that I want to use to calculate the time difference, I only want to show the time difference between each and every raw log in this transaction.

richgalloway · ‎06-10-2020

The duration field shows the time difference between the first and last events in the transaction. To get the deltas between individual events you'll have to parse the transaction.

---
If this reply helps you, Karma would be appreciated.

tbrown · ‎06-10-2020

@richgalloway

What would that command look like then? I have been trying to parse the transactions but haven't been able to find a working command that calculates the delta times.

Time difference within a transaction command

eval

timechart

transaction

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

Time difference within a transaction command

eval

timechart

transaction

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination