Splunk Search

Which timestamp is used when piping a transaction result into timechart command

jbrenner
Path Finder

I have a transaction command which correlates two log entries. If I pipe this result into a timechart command, which log entry's timestamp does it use to bucketize the results (the first or the second)?

Also, is there a way to specify this?

Thanks! Jonathan

Labels (2)
0 Karma

diogofgm
SplunkTrust
SplunkTrust

Hi Jonathan
The time stamp used is the one from the earliest event in the transaction. and I don't believe there is a way to change that. 
Other option, depending on your use case, would be to use stats instead and then you could use min(_time) and max(_time) so you end up with 2 time fields that you can choose from.

------------
Hope I was able to help you. If so, some karma would be appreciated.

johnhua
Builder

The transaction will generate a duration field which you can add to _time to get the end time.

 

| transaction ........
| eval _time=_time+duration
| timechart ........

 

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>