Sorry for the silly attention-grabbing dancing question mark. 🙂
Thanks for any help on this. I've had to dive into the deep end of Splunk with no previous exposure for various staffing reasons, so please forgive my ignorance.
I've got this, but it's still truncating all rows after 10,000 rows.
Thing.process.valid.request OR herschel.update.job.completed
| transaction activity_id startswith="Thing.process.valid.request" endswith="herschel.update.job.completed"
| eval start_time=_time
| eval end_time=_time+duration
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(start_time) AS ThingPackager_Start
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(end_time) AS Sent_To_Thing
| eval delay_hours = round(duration/60/60, 2)
| rename activity_id AS tar_name
| eval media_assetID=substr(tar_name,1,12)
| sort 0 end_time
| stats first as *, first(_*) as _* by media_assetID
| table Thing_Start Sent_To_Thing start_time end_time Thing_id tar_name media_assetID delay_hours | sort 0 by delay_hours desc
Thank you for any help, I'm going bonkers trying to get my head around this syntax.
You're hitting a limit in your transaction
command. I'd also recommend adding sort
AFTER your reporting command stats
This is not due to sort
see reference:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Btransactions.5D