×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ayela
Engager
Member since: ‎06-25-2018
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎06-25-2018
View All

Re: How to get time between events during a search...

by in Splunk Search
‎06-27-2018 09:42 AM
‎06-27-2018 09:42 AM
THANK YOU !!!! you just misspelled starttime but thank you very much !! ... View more

Re: How to get time between events during a search...

by in Splunk Search
‎06-26-2018 07:02 AM
‎06-26-2018 07:02 AM
Thank you for responding. Sorry if it was not clear. here's an example pf the query I try to do index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "Source Message Received" "_TEST01*" | xmlkv | table userId, _time the previous query works it gets all the userId(from the xml) and the initial time now I want to do something like this : for each userId index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "sent" "_TEST01" userId | top limit=1 _time | table userId, ( _time2 - _time) _time2 is the the time when it was sent _time is the time we received the id userId : value of the xml tag ... View more

Re: How to get time between events during a search...

by in Splunk Search
‎06-26-2018 07:00 AM
‎06-26-2018 07:00 AM
index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "Source Message Received" "_TEST01*" | xmlkv | table userId, _time the previous query works it gets all the userId and the initial time now I want to do something like this : for each userId index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "sent" "_TEST01" userId | top limit=1 _time | table userId, ( _time2 - _time) _time2 is the the time when it was sent _time is the time we received the id userId : value of the xml tag ... View more

How to get time between events during a search?

by in Splunk Search
‎06-25-2018 07:24 PM
‎06-25-2018 07:24 PM
Hi everyone, Recently I faced some issues when I try to do an advance search. My problem : I need to create table that contains : id | duration I search for the first appearance keyword and get the time. Example : Received 115sd65sa25sa. 115sd65sa25sa is my id and Received is my keyword let say the variable a = _time. Now for each id I want to search when it was sent (I also have a keyword for that) Example : Sent115sd65sa25sa b=_time So at the end I should have a table that contains the id and b-a I tried to use different techniques like map and sub-search but it doesn't seem to work. Thank you very much ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All