Hi All,
I am using transaction command to group events and get stop time of a device.
| transaction sys_id startswith="START" endswith="STOP"
| eval stop_time=strftime(mvindex(sys_time,1), "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time
However, when a field has same value for startswith and endswith, (for example, sys_time is same for both) then, mvindex(sys_time,1) is empty whereas mvindex(sys_time,0) gives the value. If the values are different, then it works fine.
Does anyone have any idea on this behavior and on how to work around this to get the value regardless?
Hi @mythili ,
you could use an eval command to have the timestamp of the second event:
| eval stop_time=strftime(_time+duration, "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time
that runs also with events with the same timestamp.
Ciao.
Giuseppe
Hi @mythili ,
why do you need mvindex, if you want to take the first timestamp of the trandaction?
usually the transaction command takes as timestamp the one from the first event in the correlated events.
Ciao.
Giuseppe
Hi @gcusello,
I need the timestamp of the 2nd event in the transaction, i.e, the stop time. When it showed empty value, I tested getting both the values and noticed this behavior.
Hi @mythili ,
you could use an eval command to have the timestamp of the second event:
| eval stop_time=strftime(_time+duration, "%Y-%m-%d %H:%M:%S.%2N")
| table sys_id stop_time
that runs also with events with the same timestamp.
Ciao.
Giuseppe
Hi @gcusello,
Thanks for the suggestion. This work-around works for me. But any idea regarding this behavior? Is this a known issue from Splunk?
Hi @mythili,
sincerely I don't know.
You could open a case to Splunk Support to have an answer or to notice a possible bug.
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Ciao.
Giuseppe