Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Transactions/Stats?

b4ggio
Explorer
‎07-19-2011 07:28 AM

I have a log file that contains multiple fields that are time oriented fields. The fields in this instance are the start time and end time of a change request.

I would like to use the fields as start and end markers in a transaction to show me all system events that have occurred during the time window. The unique identifier will be the Hostname.

Log source with time fields.

Date:18/06/2011 10:00:00 Hostname:Foo Start:18/06/2011 15:00:00 End: 18/06/2011 15:00:00

Then I have all the system events.
I would like to pull all the system events together that happened in the window above for the hostname.

Tags (2)
0 Karma
Reply

Paolo_Prigione
Builder
‎07-19-2011 08:46 AM

You might want to use the map command to take the "Start" and "End" timestamps from your events and run sub-searches using them as parameters...

... | ... get the start and end timestamps as fields... | map search="search earliest::$Start$ latest::$End$ sourcetype=.... | transaction hostname" maxsearches=10
Reply

Paolo_Prigione
Builder
‎07-21-2011 01:39 AM

good point....what about converting the timestamps to epoch through the "convert" command, then using them into the "mapped" search as starttimeu and endtimeu?

0 Karma
Reply

b4ggio
Explorer
‎07-19-2011 09:16 AM

I cannot reference the field that has been extracted using the earliest::$Fieldname$, either that or the map command as others have indicated on other posts is not working properly.

0 Karma
Reply

RicoSuave
Builder
‎07-19-2011 07:55 AM

try this

mysearch | transaction by Hostname

then just set a custom time in the time dropdown to whatever the timerange is that you want.

0 Karma
Reply

b4ggio
Explorer
‎07-19-2011 08:28 AM

Sorry perhaps my request was quite vauge, I want to automate this to complete for each change request line that I have. Therefore the search time should be as large a space of time as required to complete all changes for a given seach, therefore I need to use the two fields similarly to a transaction that includes startswith endswith.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...