Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Transactions/Stats?

b4ggio
Explorer
‎07-19-2011 07:28 AM

I have a log file that contains multiple fields that are time oriented fields. The fields in this instance are the start time and end time of a change request.

I would like to use the fields as start and end markers in a transaction to show me all system events that have occurred during the time window. The unique identifier will be the Hostname.

Log source with time fields.

Date:18/06/2011 10:00:00 Hostname:Foo Start:18/06/2011 15:00:00 End: 18/06/2011 15:00:00

Then I have all the system events.
I would like to pull all the system events together that happened in the window above for the hostname.

Tags (2)
0 Karma
Reply

Paolo_Prigione
Builder
‎07-19-2011 08:46 AM

You might want to use the map command to take the "Start" and "End" timestamps from your events and run sub-searches using them as parameters...

... | ... get the start and end timestamps as fields... | map search="search earliest::$Start$ latest::$End$ sourcetype=.... | transaction hostname" maxsearches=10
Reply

Paolo_Prigione
Builder
‎07-21-2011 01:39 AM

good point....what about converting the timestamps to epoch through the "convert" command, then using them into the "mapped" search as starttimeu and endtimeu?

0 Karma
Reply

b4ggio
Explorer
‎07-19-2011 09:16 AM

I cannot reference the field that has been extracted using the earliest::$Fieldname$, either that or the map command as others have indicated on other posts is not working properly.

0 Karma
Reply

RicoSuave
Builder
‎07-19-2011 07:55 AM

try this

mysearch | transaction by Hostname

then just set a custom time in the time dropdown to whatever the timerange is that you want.

0 Karma
Reply

b4ggio
Explorer
‎07-19-2011 08:28 AM

Sorry perhaps my request was quite vauge, I want to automate this to complete for each change request line that I have. Therefore the search time should be as large a space of time as required to complete all changes for a given seach, therefore I need to use the two fields similarly to a transaction that includes startswith endswith.

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...