Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Transactions/Stats?

b4ggio
Explorer
‎07-19-2011 07:28 AM

I have a log file that contains multiple fields that are time oriented fields. The fields in this instance are the start time and end time of a change request.

I would like to use the fields as start and end markers in a transaction to show me all system events that have occurred during the time window. The unique identifier will be the Hostname.

Log source with time fields.

Date:18/06/2011 10:00:00 Hostname:Foo Start:18/06/2011 15:00:00 End: 18/06/2011 15:00:00

Then I have all the system events.
I would like to pull all the system events together that happened in the window above for the hostname.

Tags (2)
0 Karma
Reply

Paolo_Prigione
Builder
‎07-19-2011 08:46 AM

You might want to use the map command to take the "Start" and "End" timestamps from your events and run sub-searches using them as parameters...

... | ... get the start and end timestamps as fields... | map search="search earliest::$Start$ latest::$End$ sourcetype=.... | transaction hostname" maxsearches=10
Reply

Paolo_Prigione
Builder
‎07-21-2011 01:39 AM

good point....what about converting the timestamps to epoch through the "convert" command, then using them into the "mapped" search as starttimeu and endtimeu?

0 Karma
Reply

b4ggio
Explorer
‎07-19-2011 09:16 AM

I cannot reference the field that has been extracted using the earliest::$Fieldname$, either that or the map command as others have indicated on other posts is not working properly.

0 Karma
Reply

RicoSuave
Builder
‎07-19-2011 07:55 AM

try this

mysearch | transaction by Hostname

then just set a custom time in the time dropdown to whatever the timerange is that you want.

0 Karma
Reply

b4ggio
Explorer
‎07-19-2011 08:28 AM

Sorry perhaps my request was quite vauge, I want to automate this to complete for each change request line that I have. Therefore the search time should be as large a space of time as required to complete all changes for a given seach, therefore I need to use the two fields similarly to a transaction that includes startswith endswith.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...