Hi, I am new to Splunk, just started for few days. Below is the events that I have searched and sorted, I would like to get the duration between step 1 and step 2 by the same UniqueString, and show...
See more...
Hi, I am new to Splunk, just started for few days. Below is the events that I have searched and sorted, I would like to get the duration between step 1 and step 2 by the same UniqueString, and show it in a new field. The reason to store it in a new field is because I would like to later make a chart to show the before/after 2 eval run. I read many helps and I tried eval, stats but it ends up 0 result. Please help. My search: index=aaa host=aaa* sourcetype=aaa_logs Command="Step1*" OR Command="Step2*" | sort by _time | dedup UniqueString 210312 12:07:45.619 INFO Step1( "UniqueString2.DAT" ) 210312 12:07:55.609 INFO Step1( "UniqueString1.DAT" ) 210312 12:07:56.015 INFO Step2("M;UniqueString1", "A", "C", "D", "A") 210312 12:07:56.609 INFO Step1( "UniqueString3.DAT" ) 210312 12:15:27.989 INFO Step2("M;UniqueString2", "B", "E", "F", "B")