Splunk Search
Highlighted

how to get my duration from transaction

Engager

my search query is this:

DESCRIPTION="sump pump" OR (DESCRIPTION="ejector pump" AND DESCRIPTION="run/stop") | rex field=CREATEDATETIME "2019+ (?[^,]+)" | rex field=CREATEDATETIME "(?[^\s]+)" | rex field=TIMEONLY "(?.):(?.):(?.)\s(?.)" | eval TIMEONLY = Hour3600 + Minute60 + Second| eval AM=case(AM="AM","0",AM="PM","43200")|eval TIMEONLY=TIMEONLY+AM| sort by !TIMEONLY |transaction DESCRIPTION startswith=VALUE="RUN" endswith=VALUE="STOP"

result i get from search:
alt text

i have created a field for the TIMEONLY , i am stuck with getting the duration of the time between the run and stop time, what can i do such that i am able to subtract my run and stop time to get the active time duration .

0 Karma
Highlighted

Re: how to get my duration from transaction

Legend

HI @chookp,
the duration field that's displayed if there the transaction command isn't useful for you?

Ciao.
Giuseppe

0 Karma
Highlighted

Re: how to get my duration from transaction

Engager

the transaction command is useful to me, but the info i need to lacking, when i use the transaction there is multi value of TIMEONLY , i just need to subtract both my TIMEONLY to get my active duration. this is the part which i am stuck

0 Karma
Highlighted

Re: how to get my duration from transaction

Ultra Champion
DESCRIPTION="sump pump" OR (DESCRIPTION="ejector pump" AND DESCRIPTION="run/stop") 
| eval TIMEONLY =strptime(CREATEDATETIME ,"%m/%d/%Y %T %p")
| eventstats range(TIMEONLY) as duration by DESCRIPTION
| eval duration=tostring(duration,"duration")
0 Karma
Highlighted

Re: how to get my duration from transaction

Engager

hi i am sorry as i am new to splunk i am not sure eval |TIMEONLY =strptime(CREATEDATETIME ,"%m/%d/%Y %T %p") | eventstats range(TIMEONLY) as duration by DESCRIPTION | eval duration=tostring(duration,"duration") able to break down the meaning i had try to use the command but did not get the answer i expected.

0 Karma
Highlighted

Re: how to get my duration from transaction

Ultra Champion
0 Karma
Highlighted

Re: how to get my duration from transaction

Ultra Champion

CREATEDATETIME is format "%m/%d/%Y %T %p"
strptime makes epoch time to duration.
eventstats range aggregates duration between run and stop
tostring change duration to readable.

0 Karma