Splunk Search

Transactions/Stats?

b4ggio
Explorer

I have a log file that contains multiple fields that are time oriented fields. The fields in this instance are the start time and end time of a change request.

I would like to use the fields as start and end markers in a transaction to show me all system events that have occurred during the time window. The unique identifier will be the Hostname.

Log source with time fields.

Date:18/06/2011 10:00:00 Hostname:Foo Start:18/06/2011 15:00:00 End: 18/06/2011 15:00:00

Then I have all the system events.
I would like to pull all the system events together that happened in the window above for the hostname.

Tags (2)
0 Karma

Paolo_Prigione
Builder

You might want to use the map command to take the "Start" and "End" timestamps from your events and run sub-searches using them as parameters...

... | ... get the start and end timestamps as fields... | map search="search earliest::$Start$ latest::$End$ sourcetype=.... | transaction hostname" maxsearches=10

Paolo_Prigione
Builder

good point....what about converting the timestamps to epoch through the "convert" command, then using them into the "mapped" search as starttimeu and endtimeu?

0 Karma

b4ggio
Explorer

I cannot reference the field that has been extracted using the earliest::$Fieldname$, either that or the map command as others have indicated on other posts is not working properly.

0 Karma

RicoSuave
Builder

try this

mysearch | transaction by Hostname

then just set a custom time in the time dropdown to whatever the timerange is that you want.

0 Karma

b4ggio
Explorer

Sorry perhaps my request was quite vauge, I want to automate this to complete for each change request line that I have. Therefore the search time should be as large a space of time as required to complete all changes for a given seach, therefore I need to use the two fields similarly to a transaction that includes startswith endswith.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...